tenseleyflow/shithub / c2d90a4

-// Package webhook owns outbound webhook delivery: signing, SSRF

-// defense, retry/backoff, and the deliverer + fanout workers.

-//

-// SSRF philosophy: webhooks point at attacker-controlled URLs by

-// design. The defense pattern is documented in `docs/internal/webhooks.md`

-// and enforced in this file:

-//

-//  1. Resolve the hostname to a set of IPs.

-//  2. Reject the request if ANY resolved IP is in a private/loopback/

-//     link-local/etc. range — even if other IPs would have been fine.

-//     A mixed-result hostname is suspicious enough to refuse.

-//  3. Pick a public IP and dial it directly, passing the original

-//     hostname for SNI / Host header. This defeats DNS-rebinding

-//     because the IP we validated is the IP we connect to (no second

-//     resolve at dial time).

-//  4. Reject schemes other than http/https and ports outside the

-//     well-known web ports unless the operator allow-listed them.

-	"context"

-	"errors"

-	"fmt"

-	"net"

-	"net/http"

-	"net/url"

-	"strconv"

-	"time"

-// SSRFError describes why a URL was rejected pre-flight or at dial

-// time. The error string is operator-friendly; we don't surface the

-// exact reason to the deliverer's external counterpart so the message

-// stays in our own logs / UI.

-type SSRFError struct {

-	URL    string

-	Reason string

-}

-

-func (e *SSRFError) Error() string { return fmt.Sprintf("ssrf: %s: %s", e.Reason, e.URL) }

-

-// SSRFConfig tunes the defense. Defaults are safe for a single-tenant

-// public deployment; self-hosters extend AllowedHosts / AllowedPorts

-// when delivering to internal CI behind a private IP.

-type SSRFConfig struct {

-	// AllowedSchemes restricts URL schemes. Default ["http", "https"].

-	AllowedSchemes []string

-	// AllowedPorts is the set of TCP ports the deliverer is willing to

-	// dial. Defaults to {80, 443, 8080, 8443}; operators add internal

-	// ports here.

-	AllowedPorts []int

-	// AllowPrivateNetworks, when true, skips the IP block-list. Use ONLY

-	// with a paired AllowedHosts list — the combination lets a self-

-	// hoster point a webhook at `ci.internal` while still rejecting any

-	// other hostname that would resolve to a private IP.

-	AllowPrivateNetworks bool

-	// AllowedHosts is a hostname allow-list. When non-empty AND a

-	// hostname matches, AllowPrivateNetworks is implicitly applied for

-	// that hostname only. Match is exact (no wildcards) and case-

-	// insensitive.

-	AllowedHosts []string

-	// DialTimeout caps the per-dial connect time. Default 10s.

-	DialTimeout time.Duration

-	// RequestTimeout caps the total request time (connect + read).

-	// Default 30s per the spec.

-	RequestTimeout time.Duration

-	// Resolver is plumbed for tests. nil => net.DefaultResolver.

-	Resolver *net.Resolver

-}

-

-// DefaultSSRFConfig returns the production defaults. Callers add to

-// the slices as needed; the zero-value SSRFConfig is also valid (it

-// will pick the same defaults at validation time).

-func DefaultSSRFConfig() SSRFConfig {

-	return SSRFConfig{

-		AllowedSchemes: []string{"http", "https"},

-		AllowedPorts:   []int{80, 443, 8080, 8443},

-		DialTimeout:    10 * time.Second,

-		RequestTimeout: 30 * time.Second,

-	}

-}

-

-// HTTPClient returns an *http.Client configured with the SSRF-safe

-// dialer. The transport intentionally disables redirect-following:

-// 3xx is treated as success and a redirect target's IP would otherwise

-// bypass our pre-flight check.

-func (c SSRFConfig) HTTPClient() *http.Client {

-	cfg := c.applyDefaults()

-	tr := &http.Transport{

-		DialContext:           cfg.dialContext,

-		ResponseHeaderTimeout: cfg.RequestTimeout,

-		ForceAttemptHTTP2:     false,

-		// No keep-alive across deliveries — webhooks are sparse and

-		// connection reuse complicates the validate-then-dial chain.

-		DisableKeepAlives: true,

-	}

-	return &http.Client{

-		Transport: tr,

-		Timeout:   cfg.RequestTimeout,

-		CheckRedirect: func(*http.Request, []*http.Request) error {

-			return http.ErrUseLastResponse

-		},

-	}

-}

-

-// Validate checks the URL shape (scheme/port/host) without resolving

-// DNS. Returns *SSRFError on rejection. The deliverer also re-resolves

-// at dial time inside dialContext to defeat rebinding.

-func (c SSRFConfig) Validate(rawURL string) error {

-	cfg := c.applyDefaults()

-	u, err := url.Parse(rawURL)

-	if err != nil {

-		return &SSRFError{URL: rawURL, Reason: "malformed URL"}

-	}

-	if !stringSetContains(cfg.AllowedSchemes, u.Scheme) {

-		return &SSRFError{URL: rawURL, Reason: "scheme " + u.Scheme + " not allowed"}

-	}

-	host := u.Hostname()

-	if host == "" {

-		return &SSRFError{URL: rawURL, Reason: "missing host"}

-	}

-	port := u.Port()

-	if port == "" {

-		switch u.Scheme {

-		case "http":

-			port = "80"

-		case "https":

-			port = "443"

-		}

-	}

-	pn, perr := strconv.Atoi(port)

-	if perr != nil || pn <= 0 || pn > 65535 {

-		return &SSRFError{URL: rawURL, Reason: "invalid port"}

-	}

-	if !intSetContains(cfg.AllowedPorts, pn) {

-		return &SSRFError{URL: rawURL, Reason: "port " + port + " not in allow-list"}

-	}

-	return nil

-}

-

-// dialContext is the SSRF-safe dialer. It re-resolves the hostname at

-// dial time, validates every returned IP, and connects to the first

-// allowed IP using the original hostname for SNI.

-func (c SSRFConfig) dialContext(ctx context.Context, network, addr string) (net.Conn, error) {

-	host, port, err := net.SplitHostPort(addr)

-	if err != nil {

-		return nil, &SSRFError{URL: addr, Reason: "split host:port: " + err.Error()}

-	}

-	pn, _ := strconv.Atoi(port)

-	if !intSetContains(c.AllowedPorts, pn) {

-		return nil, &SSRFError{URL: addr, Reason: "port " + port + " not in allow-list"}

-	}

-

-	hostAllowed := stringSetContainsFold(c.AllowedHosts, host)

-	resolver := c.Resolver

-	if resolver == nil {

-		resolver = net.DefaultResolver

-	}

-	ips, err := resolver.LookupIPAddr(ctx, host)

-	if err != nil {

-		return nil, &SSRFError{URL: addr, Reason: "DNS resolve: " + err.Error()}

-	}

-	if len(ips) == 0 {

-		return nil, &SSRFError{URL: addr, Reason: "no IPs resolved"}

-	}

-	// Reject if ANY IP is forbidden — a mixed-result hostname is

-	// suspicious enough to refuse. The exception is when the host is

-	// allow-listed (self-hoster scenario).

-	for _, ipa := range ips {

-		if !hostAllowed && !c.AllowPrivateNetworks && isForbiddenIP(ipa.IP) {

-			return nil, &SSRFError{URL: addr, Reason: "resolved to forbidden IP " + ipa.IP.String()}

-		}

-	}

-	// Dial the first IP. We pass the literal IP so the dialer doesn't

-	// re-resolve under us; the URL's Host header (set by net/http) keeps

-	// the original hostname for routing/SNI.

-	dialer := &net.Dialer{Timeout: c.DialTimeout}

-	dialAddr := net.JoinHostPort(ips[0].IP.String(), port)

-	return dialer.DialContext(ctx, network, dialAddr)

-}

-

-// applyDefaults fills in zero-value fields with defaults. Returns a

-// copy so the caller's struct stays unchanged.

-func (c SSRFConfig) applyDefaults() SSRFConfig {

-	def := DefaultSSRFConfig()

-	if len(c.AllowedSchemes) == 0 {

-		c.AllowedSchemes = def.AllowedSchemes

-	}

-	if len(c.AllowedPorts) == 0 {

-		c.AllowedPorts = def.AllowedPorts

-	}

-	if c.DialTimeout == 0 {

-		c.DialTimeout = def.DialTimeout

-	}

-	if c.RequestTimeout == 0 {

-		c.RequestTimeout = def.RequestTimeout

-	}

-	return c

-}

-

-// isForbiddenIP returns true if the IP belongs to any of the ranges

-// the spec marks as off-limits.

-func isForbiddenIP(ip net.IP) bool {

-	if ip == nil {

-		return true

-	}

-	if ip.IsUnspecified() || ip.IsLoopback() || ip.IsLinkLocalUnicast() ||

-		ip.IsLinkLocalMulticast() || ip.IsInterfaceLocalMulticast() ||

-		ip.IsMulticast() {

-		return true

-	}

-	// IPv4 RFC 1918 + CGNAT (100.64/10) + broadcast + the autoconf

-	// 169.254/16 range (already covered by IsLinkLocalUnicast but

-	// belt-and-braces).

-	if ip4 := ip.To4(); ip4 != nil {

-		switch {

-		case ip4[0] == 10:

-			return true

-		case ip4[0] == 172 && ip4[1] >= 16 && ip4[1] <= 31:

-			return true

-		case ip4[0] == 192 && ip4[1] == 168:

-			return true

-		case ip4[0] == 100 && ip4[1] >= 64 && ip4[1] <= 127:

-			return true

-		case ip4[0] == 169 && ip4[1] == 254:

-			return true

-		case ip4[0] == 0:

-			return true

-		case ip4[0] == 255:

-			return true

-		}

-		return false

-	}

-	// IPv6 unique-local addresses (fc00::/7) — covers fd00::/8 too.

-	if len(ip) == net.IPv6len && (ip[0]&0xfe) == 0xfc {

-		return true

-	}

-	return false

-}

-

-func stringSetContains(set []string, v string) bool {

-	for _, s := range set {

-		if s == v {

-			return true

-		}

-	}

-	return false

-}

-

-func stringSetContainsFold(set []string, v string) bool {

-	for _, s := range set {

-		if equalFold(s, v) {

-			return true

-		}

-	}

-	return false

-}

-func equalFold(a, b string) bool {

-	if len(a) != len(b) {

-		return false

-	}

-	for i := 0; i < len(a); i++ {

-		ca, cb := a[i], b[i]

-		if 'A' <= ca && ca <= 'Z' {

-			ca += 'a' - 'A'

-		}

-		if 'A' <= cb && cb <= 'Z' {

-			cb += 'a' - 'A'

-		}

-		if ca != cb {

-			return false

-		}

-	}

-	return true

-}

-func intSetContains(set []int, v int) bool {

-	for _, s := range set {

-		if s == v {

-			return true

-		}

-	}

-	return false

-}

-func IsSSRF(err error) bool {

-	var s *SSRFError

-	return errors.As(err, &s)

-}

-// SPDX-License-Identifier: AGPL-3.0-or-later

-

-package webhook

-

-import (

-	"net"

-	"strings"

-	"testing"

-)

-

-func TestValidateRejectsBadShapes(t *testing.T) {

-	c := DefaultSSRFConfig()

-	cases := []struct {

-		name, url, wantSubstr string

-	}{

-		{"empty", "", "scheme  not allowed"},

-		{"file scheme", "file:///etc/passwd", "scheme file not allowed"},

-		{"ftp scheme", "ftp://example.com/", "scheme ftp not allowed"},

-		{"missing host", "http:///path", "missing host"},

-		{"non-allowed port", "http://example.com:9999/x", "port 9999"},

-	}

-	for _, tc := range cases {

-		t.Run(tc.name, func(t *testing.T) {

-			err := c.Validate(tc.url)

-			if err == nil {

-				t.Fatalf("Validate(%q) = nil; want SSRFError", tc.url)

-			}

-			if !strings.Contains(err.Error(), tc.wantSubstr) {

-				t.Fatalf("Validate(%q) = %q; want substring %q", tc.url, err, tc.wantSubstr)

-			}

-		})

-	}

-}

-

-func TestValidatePassesGoodShapes(t *testing.T) {

-	c := DefaultSSRFConfig()

-	cases := []string{

-		"http://example.com/x",

-		"https://example.com:443/x",

-		"http://example.com:8080/y",

-		"https://example.com:8443/y",

-	}

-	for _, u := range cases {

-		if err := c.Validate(u); err != nil {

-			t.Fatalf("Validate(%q) = %v; want nil", u, err)

-		}

-	}

-}

-

-func TestIsForbiddenIPClassifiesCorrectly(t *testing.T) {

-	forbidden := []string{

-		"127.0.0.1", "127.255.255.254",

-		"10.0.0.1", "10.255.255.255",

-		"172.16.0.1", "172.31.255.255",

-		"192.168.0.1",

-		"100.64.0.1",      // CGNAT

-		"169.254.169.254", // AWS metadata service

-		"0.0.0.0",

-		"255.255.255.255",

-		"::1",

-		"fe80::1", // link-local

-		"fd00::1", // ULA

-		"fc00::1", // ULA

-	}

-	for _, addr := range forbidden {

-		ip := net.ParseIP(addr)

-		if ip == nil {

-			t.Fatalf("bad test fixture: %q", addr)

-		}

-		if !isForbiddenIP(ip) {

-			t.Errorf("isForbiddenIP(%q) = false; want true", addr)

-		}

-	}

-	allowed := []string{

-		"1.1.1.1", "8.8.8.8", "203.0.113.5", "198.51.100.7",

-		"2001:4860:4860::8888",

-	}

-	for _, addr := range allowed {

-		ip := net.ParseIP(addr)

-		if ip == nil {

-			t.Fatalf("bad test fixture: %q", addr)

-		}

-		if isForbiddenIP(ip) {

-			t.Errorf("isForbiddenIP(%q) = true; want false", addr)

-		}

-	}

-}

-

-func TestIsSSRF(t *testing.T) {

-	c := DefaultSSRFConfig()

-	err := c.Validate("file:///etc/passwd")

-	if !IsSSRF(err) {

-		t.Fatalf("IsSSRF(%v) = false; want true", err)

-	}

-	if IsSSRF(nil) {

-		t.Fatalf("IsSSRF(nil) = true; want false")

-	}

-}