happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,378 Commits 1 Branch 87 Tags 142 MiB
Commit Graph

4 Commits

Author SHA1 Message Date
Sinan Guere d2c67bac6f Remove line ending changes 2026-03-24 14:32:03 +02:00
=AhmedAshraf b3efb2514b i fixed the conflicts 
feat: add memo color customization
 2026-03-24 14:24:09 +02:00
memoclaw cd5816c428
feat: add --allow-private-webhooks flag to bypass SSRF protection (#5694) 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 13:46:03 +08:00
Steven 150371d211 fix(webhook): remediate SSRF vulnerability in webhook dispatcher 
- Add plugin/webhook/validate.go as single source of truth for SSRF
  protection: reserved CIDR list parsed once at init(), isReservedIP(),
  and exported ValidateURL() used at registration/update time
- Replace unguarded http.Client in webhook.go with safeClient whose
  Transport uses a custom DialContext that re-resolves hostnames at
  dial time, defeating DNS rebinding attacks
- Call webhook.ValidateURL() in CreateUserWebhook and both
  UpdateUserWebhook paths to reject non-http/https schemes and
  reserved/private IP targets before persisting
- Strip internal service response body from non-2xx error log messages
  to prevent data leakage via application logs
 2026-02-23 10:14:24 +08:00