Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent use of local ips on webhooks #20487

Merged
merged 10 commits into from
Jun 18, 2024
Merged

fix: prevent use of local ips on webhooks #20487

merged 10 commits into from
Jun 18, 2024

Conversation

Marc-Roig
Copy link
Contributor

@Marc-Roig Marc-Roig commented Jun 10, 2024
edited
Loading

Fix for GHSA-v8wj-f5c7-pvxf

Prevents local ips to be used on webhooks.

User will see the following error if trying to use one:

image

Notes

V5 migration should be straightforward on the BE side, but we will need to check on the FE side if errors are being displayed on the Webhooks settings page

@Marc-Roig Marc-Roig self-assigned this Jun 10, 2024
@Marc-Roig Marc-Roig marked this pull request as draft June 10, 2024 15:38
@Marc-Roig
Copy link
Contributor Author

Let me know your opinion on this approach before I commit on some UI changes and api tests

@vercel Vercel
Copy link

vercel bot commented Jun 10, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
contributor-docs ❌ Failed (Inspect) Jun 18, 2024 10:36am

derrickmehaffy
derrickmehaffy reviewed Jun 10, 2024
View reviewed changes
Copy link
Member

@derrickmehaffy derrickmehaffy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll run some tests tomorrow but if nothing is on the internal IP+port it may not have a status code

@Marc-Roig
Copy link
Contributor Author

@derrickmehaffy I believe the fetch api returns a 500 by default if the port is not found, or at least guarantees the status code is present on the response.

@Marc-Roig
Copy link
Contributor Author

After a discussion with Alex , we decided to just prevent local ips to be used on webhook settings.

@Marc-Roig Marc-Roig marked this pull request as ready for review June 12, 2024 15:05
@Marc-Roig
Copy link
Contributor Author

Marc-Roig commented Jun 12, 2024
edited
Loading

I am now working on some api tests, but logic should be ready (thank you Remi! 🚀 )

@Marc-Roig Marc-Roig requested a review from remidej June 13, 2024 08:49
@Marc-Roig Marc-Roig changed the title chore: mask error on webhook manual trigger fix: prevent use of local ips on webhooks Jun 13, 2024
remidej
remidej approved these changes Jun 13, 2024
View reviewed changes
Copy link
Contributor

@remidej remidej left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested ✅

alexandrebodin
alexandrebodin reviewed Jun 13, 2024
View reviewed changes
packages/core/admin/server/src/controllers/webhooks.ts
.test(
'is-public-url',
"Url is not supported because it isn't reachable over the public internet",
async (url) => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't we supposed to prevent this only in production env ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops, yes! I added the if case

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 I think we might want !== production in case we are doing tests for ex

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

@Marc-Roig Marc-Roig added source: core:admin Source is core/admin package pr: fix This PR is fixing a bug labels Jun 14, 2024
innerdvations
innerdvations reviewed Jun 17, 2024
View reviewed changes
packages/core/admin/server/src/controllers/webhooks.ts

try {
const parsedUrl = new URL(url!);
const isLocalUrl = await isLocalhostIp(parsedUrl.hostname);
Copy link
Contributor

@innerdvations innerdvations Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be completely safe you need to use punycode on the url first since is-localhost-ip doesn't support international character sets by default. Otherwise someone could, for example, use an internationalized domain name pointed at 127.0.0.1 to achieve the same effect.

@innerdvations
Copy link
Contributor

This could be considered a breaking change, because there are probably users making use of this as a hack to call local scripts, so I think we should include a release note about the change with a link to the right way of doing it.

innerdvations
innerdvations approved these changes Jun 18, 2024
View reviewed changes
Copy link
Contributor

@innerdvations innerdvations left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't QA but code looks good now!

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 18, 2024
edited
Loading

Size Change: +18 B (0%)

Total Size: 1.31 MB

Filename Size Change
examples/getstarted/build/main.********.js 1.31 MB +17 B (0%)
ℹ️ View Unchanged
Filename Size Change
examples/getstarted/build/bb4d0d527bdfb161bc5a.svg 2.28 kB 0 B
examples/getstarted/build/index.html 605 B -1 B (-0.17%)
examples/getstarted/build/runtime~main.********.js 4.25 kB +2 B (+0.05%)

compressed-size-action

@Marc-Roig Marc-Roig merged commit 0b1222e into develop Jun 18, 2024
143 of 144 checks passed
@Marc-Roig Marc-Roig deleted the fix/webhooks-trigger branch June 18, 2024 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@innerdvations innerdvations innerdvations approved these changes

@remidej remidej remidej approved these changes

@derrickmehaffy derrickmehaffy Awaiting requested review from derrickmehaffy

@alexandrebodin alexandrebodin Awaiting requested review from alexandrebodin

Assignees

@Marc-Roig Marc-Roig

Labels
pr: fix This PR is fixing a bug source: core:admin Source is core/admin package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Marc-Roig @innerdvations @alexandrebodin @remidej @derrickmehaffy