Resolve "Allow Webhooks to access private addresses/urls"
This MR allows users to configure what URLS and IPs webhooks can use using various env vars. To do so we have exposed a number of black/whitelists provided by the underlying advocate library. Whilst I was adding env vars I also exposed the other webhook settings as requested by a user: #1124 (closed) .
Testing Notes
-
BASEROW_WEBHOOKS_ALLOW_PRIVATE_ADDRESS=yes ./dev.sh restart --build
-> Can make webhooks which query http://localhost, http://127.0.0.0 etc -
./dev.sh restart --build
-> Still can't make webhooks which query http://localhost, http://127.0.0.0 etc -
BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!(www\.)?google\.com).* ./dev.sh restart --build
-> Can only make webhooks which targetgoogle.com
-
BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart
-> Can make a webhook which targets 127.0.0.1:8000 and localhost:8000, but not say 10.8.0.101 -
BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart
-> Can make a webhook targetting127.0.0.1:8000
but not127.0.0.2:8000
-
BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!(www\.)?google\.com).* BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart
-> Can't make a webhook targetting127.0.0.1:8000
as it doesn't pass the check -
BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!(www\.)?localhost).* BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart
-> Can make a webhook targettinghttp://localhost
-
BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!127\.0\.0\.1).* BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart
-> Can make a webhook targetting127.0.0.1:8000
Validation Testing
-
BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=[ ./dev.sh restart
-> Crashes on startup with regex error -
BASEROW_WEBHOOKS_IP_BLACKLIST=notanip ./dev.sh restart
-> Crashes on startup -
BASEROW_WEBHOOKS_IP_WHITELIST=notanip ./dev.sh restart
-> Crashes on startup
Merge Request Checklist
-
changelog.md has been updated if required
Closes #931 (closed)
Closes #1124 (closed)
Edited by Nigel Gott