happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
memos/plugin/webhook
History
Steven 150371d211 fix(webhook): remediate SSRF vulnerability in webhook dispatcher 
- Add plugin/webhook/validate.go as single source of truth for SSRF
  protection: reserved CIDR list parsed once at init(), isReservedIP(),
  and exported ValidateURL() used at registration/update time
- Replace unguarded http.Client in webhook.go with safeClient whose
  Transport uses a custom DialContext that re-resolves hostnames at
  dial time, defeating DNS rebinding attacks
- Call webhook.ValidateURL() in CreateUserWebhook and both
  UpdateUserWebhook paths to reject non-http/https schemes and
  reserved/private IP targets before persisting
- Strip internal service response body from non-2xx error log messages
  to prevent data leakage via application logs
 		2026-02-23 10:14:24 +08:00
..
validate.go fix(webhook): remediate SSRF vulnerability in webhook dispatcher 2026-02-23 10:14:24 +08:00
webhook.go fix(webhook): remediate SSRF vulnerability in webhook dispatcher 2026-02-23 10:14:24 +08:00
webhook_test.go chore: implement webhook dispatch in api v1 2023-11-25 10:31:58 +08:00