Security: Webhook URL SSRF vulnerability - no validation of internal/private network URLs #4
Description
Description
The WebhookEndpoint::createForWorkspace() method and the webhook delivery system do not validate that the webhook URL does not point to internal or private network addresses. This creates a Server-Side Request Forgery (SSRF) vulnerability.
Location
src/Api/Models/WebhookEndpoint.php:102-118-createForWorkspace()methodsrc/Api/Jobs/DeliverWebhookJob.php:88-91- HTTP request to arbitrary URLs
Security Impact
An attacker could:
- Register a webhook endpoint pointing to
http://127.0.0.1:XXX,http://localhost,http://192.168.x.x,http://10.x.x.x, orhttp://169.254.169.254(AWS metadata) - Trigger events that cause the server to make HTTP requests to internal services
- Potentially access cloud provider metadata endpoints, internal APIs, or scan internal network ports
Recommended Fix
-
Create a URL validation service that checks webhook URLs:
- Block localhost, 127.0.0.1, ::1
- Block private network ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Block link-local (169.254.x.x)
- Block cloud metadata endpoints (169.254.169.254)
- Optionally require HTTPS-only webhooks
- Resolve DNS and validate the resolved IP is not internal
-
Apply validation in
WebhookEndpoint::createForWorkspace()and any update methods
Example
class WebhookUrlValidator
{
private const BLOCKED_HOSTS = ['localhost', 'localhost.localdomain'];
public function validate(string $url): bool
{
$parsed = parse_url($url);
$host = $parsed['host'] ?? '';
// Block common localhost names
if (in_array(strtolower($host), self::BLOCKED_HOSTS)) {
return false;
}
// Resolve and check IP
$ip = gethostbyname($host);
return !$this->isPrivateOrReservedIp($ip);
}
}Priority
High - SSRF vulnerabilities can lead to significant security breaches in cloud environments.