Skip to content

Only allow webhook to send requests to allowed hosts (backport #17482) #17510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 6, 2021
Merged

Only allow webhook to send requests to allowed hosts (backport #17482) #17510

merged 4 commits into from
Nov 6, 2021

Conversation

wxiaoguang
Copy link
Contributor

@wxiaoguang wxiaoguang commented Nov 1, 2021
edited
Loading

Backport #17482 (as requested in the PR)

For security reasons, the webhook should only send requests to allowed hosts.

This PR introduces a setting option:

  • ALLOWED_HOST_LIST: external: Webhook can only call allowed hosts for security reasons. Comma separated list: loopback, private, external, or *, or CIDR list (1.2.3.0/8), or wildcard hosts (*.mydomain.com)

@wxiaoguang wxiaoguang added this to the 1.15.7 milestone Nov 1, 2021
@wxiaoguang wxiaoguang added type/enhancement An improvement of existing functionality topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Nov 1, 2021
delvh
delvh approved these changes Nov 1, 2021
View reviewed changes
Copy link
Member

@delvh delvh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do have to wonder: What are the three extra lines you deleted?

@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Nov 1, 2021
@wxiaoguang
Copy link
Contributor Author

@delvh

I do have to wonder: What are the three extra lines you deleted?

"the three extra lines you deleted": What lines do you mean?

@delvh
Copy link
Member

delvh commented Nov 2, 2021

#17482: +284 −23 lines
#17510: +284 −26 lines

lafriks
lafriks requested changes Nov 2, 2021
View reviewed changes
@wxiaoguang wxiaoguang mentioned this pull request Nov 3, 2021
Merged
lunny
lunny reviewed Nov 3, 2021
View reviewed changes
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 5, 2021
@zeripath
Copy link
Contributor

zeripath commented Nov 5, 2021

@lafriks awaiting your review

@zeripath zeripath merged commit 20ae184 into go-gitea:release/v1.15 Nov 6, 2021
@wxiaoguang wxiaoguang deleted the backport-webhook-request branch November 6, 2021 10:23
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny left review comments

@lafriks lafriks lafriks approved these changes

@delvh delvh delvh approved these changes

+1 more reviewer

@richmahn richmahn richmahn approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.15.7
Development

Successfully merging this pull request may close these issues.
7 participants
@wxiaoguang @delvh @zeripath @lunny @lafriks @richmahn @GiteaBot