happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
memos/plugin
History
Steven 150371d211 fix(webhook): remediate SSRF vulnerability in webhook dispatcher 
- Add plugin/webhook/validate.go as single source of truth for SSRF
  protection: reserved CIDR list parsed once at init(), isReservedIP(),
  and exported ValidateURL() used at registration/update time
- Replace unguarded http.Client in webhook.go with safeClient whose
  Transport uses a custom DialContext that re-resolves hostnames at
  dial time, defeating DNS rebinding attacks
- Call webhook.ValidateURL() in CreateUserWebhook and both
  UpdateUserWebhook paths to reject non-http/https schemes and
  reserved/private IP targets before persisting
- Strip internal service response body from non-2xx error log messages
  to prevent data leakage via application logs
 		2026-02-23 10:14:24 +08:00
..
cron chore: fix some typos in comments (#5332) 2025-12-11 07:50:16 +08:00
email refactor(db): rename tables for clarity - resource→attachment, system_setting→instance_setting 2026-01-06 23:36:42 +08:00
filter fix: add Unicode case-insensitive search for SQLite (#5559) 2026-02-02 21:10:07 +08:00
httpgetter refactor: attachment service part2 2025-06-18 00:09:19 +08:00
idp chore: simplify attachment file writing 2025-12-31 21:54:37 +08:00
markdown fix: allow ampersand in tags to support compound tags 2026-02-11 22:55:45 +08:00
scheduler chore: simplify attachment file writing 2025-12-31 21:54:37 +08:00
storage/s3 perf: optimize memory usage for statistics and image processing 2025-12-30 00:06:23 +08:00
webhook fix(webhook): remediate SSRF vulnerability in webhook dispatcher 2026-02-23 10:14:24 +08:00