Home Explore
Register Sign In
SongZihuan
/
GogsUpstream
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

webhook: validate against hostname instead of full URL (#7075)

# Conflicts:
#	CHANGELOG.md
Joe Chen 2 years ago
parent
012a1ba19e
commit
7f147eb573
2 changed files with 21 additions and 8 deletions
Split View Show Diff Stats
  1. 13 6
      CHANGELOG.md
  2. 8 2
      internal/db/webhook.go

+ 13 - 6
CHANGELOG.md
View File 

@@ -19,16 +19,12 @@ All notable changes to Gogs are documented in this file.
 
 - MSSQL as database backend is deprecated, installation page no longer shows it as an option. Existing installations and manually craft configuration file continue to work. [#6295](https://github.com/gogs/gogs/pull/6295)
 
 - Use [Task](https://github.com/go-task/task) as the build tool. [#6297](https://github.com/gogs/gogs/pull/6297)
 
 - The required Go version to compile source code changed to 1.16.
 
+- Access tokens are now stored using their SHA256 hashes instead of raw values. [#7008](https://github.com/gogs/gogs/pull/7008)
 
 
 ### Fixed
 
 
-- _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000)
 
-- _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009)
 
-- _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001)
 
-- _Security:_ Path Traversal in Git HTTP endpoints. [#7002](https://github.com/gogs/gogs/issues/7002)
 
 - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
 
-- Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967)
 
-- Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963)
 
+- Unable to send webhooks to local network addresses after configured `[security] LOCAL_NETWORK_ALLOWLIST`. [#7074](https://github.com/gogs/gogs/issues/7074)
 
 
 ### Removed
 
 
@@ -50,6 +46,17 @@ All notable changes to Gogs are documented in this file.
 
 - Configuration option `[database] PASSWD` is no longer used, please use `[database] PASSWORD`.
 
 - Remove option to use Makefile as the build tool. [#6980](https://github.com/gogs/gogs/pull/6980)
 
 
+## 0.12.9
 
+
 
+### Fixed
 
+
 
+- _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000)
 
+- _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009)
 
+- _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001)
 
+- _Security:_ Path Traversal in Git HTTP endpoints. [#7002](https://github.com/gogs/gogs/issues/7002)
 
+- Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967)
 
+- Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963)
 
+
 
 ## 0.12.8
 
 
 ### Changed

+ 8 - 2
internal/db/webhook.go
View File 

@@ -11,6 +11,7 @@ import (
 
 	"encoding/hex"
 
 	"fmt"
 
 	"io/ioutil"
 
+	"net/url"
 
 	"strings"
 
 	"time"
 
 
@@ -689,8 +690,13 @@ func TestWebhook(repo *Repository, event HookEventType, p api.Payloader, webhook
 
 }
 
 
 func (t *HookTask) deliver() {
 
-	if netutil.IsBlockedLocalHostname(t.URL, conf.Security.LocalNetworkAllowlist) {
 
-		t.ResponseContent = "Payload URL resolved to a local network address that is implicitly blocked."
 
+	payloadURL, err := url.Parse(t.URL)
 
+	if err != nil {
 
+		t.ResponseContent = fmt.Sprintf(`{"body": "Cannot parse payload URL: %v"}`, err)
 
+		return
 
+	}
 
+	if netutil.IsBlockedLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) {
 
+		t.ResponseContent = `{"body": "Payload URL resolved to a local network address that is implicitly blocked."}`
 
 		return
 
 	}