Skip to content

Resolve "Allow Webhooks to access private addresses/urls"

Zuhair Rayyes requested to merge 931-allow-webhooks-to-access-private-addresses-urls into develop

This MR allows users to configure what URLS and IPs webhooks can use using various env vars. To do so we have exposed a number of black/whitelists provided by the underlying advocate library. Whilst I was adding env vars I also exposed the other webhook settings as requested by a user: #1124 (closed) .

Testing Notes

  1. BASEROW_WEBHOOKS_ALLOW_PRIVATE_ADDRESS=yes ./dev.sh restart --build -> Can make webhooks which query http://localhost, http://127.0.0.0 etc
  2. ./dev.sh restart --build -> Still can't make webhooks which query http://localhost, http://127.0.0.0 etc
  3. BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!(www\.)?google\.com).* ./dev.sh restart --build -> Can only make webhooks which target google.com
  4. BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart -> Can make a webhook which targets 127.0.0.1:8000 and localhost:8000, but not say 10.8.0.101
  5. BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart -> Can make a webhook targetting 127.0.0.1:8000 but not 127.0.0.2:8000
  6. BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!(www\.)?google\.com).* BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart -> Can't make a webhook targetting 127.0.0.1:8000 as it doesn't pass the check
  7. BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!(www\.)?localhost).* BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart -> Can make a webhook targetting http://localhost
  8. BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=^(?!127\.0\.0\.1).* BASEROW_WEBHOOKS_IP_BLACKLIST=127.0.0.0/8 BASEROW_WEBHOOKS_IP_WHITELIST=127.0.0.1/32 ./dev.sh restart -> Can make a webhook targetting 127.0.0.1:8000

Validation Testing

  1. BASEROW_WEBHOOKS_URL_REGEX_BLACKLIST=[ ./dev.sh restart -> Crashes on startup with regex error
  2. BASEROW_WEBHOOKS_IP_BLACKLIST=notanip ./dev.sh restart -> Crashes on startup
  3. BASEROW_WEBHOOKS_IP_WHITELIST=notanip ./dev.sh restart -> Crashes on startup

Merge Request Checklist

Closes #931 (closed)

Closes #1124 (closed)

Edited by Nigel Gott

Merge request reports