happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,293 Commits 1 Branch 86 Tags 133 MiB
Commit Graph

12 Commits

Author SHA1 Message Date
Steven 150371d211 fix(webhook): remediate SSRF vulnerability in webhook dispatcher 
- Add plugin/webhook/validate.go as single source of truth for SSRF
  protection: reserved CIDR list parsed once at init(), isReservedIP(),
  and exported ValidateURL() used at registration/update time
- Replace unguarded http.Client in webhook.go with safeClient whose
  Transport uses a custom DialContext that re-resolves hostnames at
  dial time, defeating DNS rebinding attacks
- Call webhook.ValidateURL() in CreateUserWebhook and both
  UpdateUserWebhook paths to reject non-http/https schemes and
  reserved/private IP targets before persisting
- Strip internal service response body from non-2xx error log messages
  to prevent data leakage via application logs
 2026-02-23 10:14:24 +08:00
Johnny f66c750075 chore: simplify attachment file writing 2025-12-31 21:54:37 +08:00
johnnyjoy 976bd332fe chore: fix linter 2025-06-24 21:55:27 +08:00
johnnyjoy d6a75bba4c refactor: webhook service 2025-06-24 21:28:21 +08:00
Steven f12d7ae8bc chore: add asynchronous webhook dispatch 2025-05-27 20:01:04 +08:00
Steven f33571fec6 feat: update webhook request payload 2024-06-05 20:53:20 +08:00
Steven 2e0d5412b4 chore: tweak webhook payload 2024-06-01 23:46:00 +08:00
Steven 6010139291 chore: remove unused 2024-05-29 07:36:51 +08:00
Steven 775b79338d chore: update object in s3 2024-05-02 21:44:17 +08:00
Steven 7c5261b5d2 chore: tweak resource definition 2024-03-20 21:17:04 +08:00
Bryan 4aa4417d91
chore: allow all 20x response status code in webhook (#2947) 2024-02-13 09:30:48 +08:00
Steven bc965f6afa chore: implement webhook dispatch in api v1 2023-11-25 10:31:58 +08:00