mirror of
https://github.com/makeplane/plane.git
synced 2026-07-10 04:25:24 +02:00
The webhook dispatcher validated webhook.url before posting but called requests.post() without allow_redirects=False, so a webhook destination could return a 3xx redirect to an internal address (cloud metadata, internal services) and have the worker fetch it and persist the response body to webhook_logs, readable back via the webhook-logs API. Pass allow_redirects=False so the original validate_url() guard is authoritative. Matches the pattern already used by safe_get() in work_item_link_task.py and the behavior of GitHub/Stripe/Slack webhooks.