Only allow webhook to send requests to allowed hosts

Author: wxiaoguang

cmd/web.go

@@ -194,6 +194,7 @@ func listen(m http.Handler, handleRedirector bool) error {
 		listenAddr = net.JoinHostPort(listenAddr, setting.HTTPPort)
 	}
 	log.Info("Listen: %v://%s%s", setting.Protocol, listenAddr, setting.AppSubURL)
+	log.Info("AppURL: %s", setting.AppURL)
 
 	if setting.LFS.StartServer {
 		log.Info("LFS server enabled")

custom/conf/app.example.ini

@@ -1396,6 +1396,9 @@ PATH =
 ;; Deliver timeout in seconds
 ;DELIVER_TIMEOUT = 5
 ;;
+;; Webhook can only call allowed hosts for security reasons. Comma separated list: loopback, private, global, or all, or CIDR list (1.2.3.0/8), or wildcard hosts (*.mydomain.com)
+; ALLOWED_HOST_LIST = global
+;;
 ;; Allow insecure certification
 ;SKIP_TLS_VERIFY = false
 ;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -581,6 +581,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 
 - `QUEUE_LENGTH`: **1000**: Hook task queue length. Use caution when editing this value.
 - `DELIVER_TIMEOUT`: **5**: Delivery timeout (sec) for shooting webhooks.
+- `ALLOWED_HOST_LIST`: **global**: Webhook can only call allowed hosts for security reasons. Comma separated list: `loopback`, `private`, `global`, or `all`, or CIDR list (1.2.3.0/8), or wildcard hosts (*.mydomain.com)
 - `SKIP_TLS_VERIFY`: **false**: Allow insecure certification.
 - `PAGING_NUM`: **10**: Number of webhook history events that are shown in one page.
 - `PROXY_URL`: **\<empty\>**: Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy. If not given, will use global proxy setting.

modules/migrations/migrate.go

@@ -89,7 +89,7 @@ func IsMigrateURLAllowed(remoteURL string, doer *models.User) error {
 			return &models.ErrInvalidCloneAddr{Host: u.Host, NotResolvedIP: true}
 		}
 		for _, addr := range addrList {
-			if isIPPrivate(addr) || !addr.IsGlobalUnicast() {
+			if util.IsIPPrivate(addr) || !addr.IsGlobalUnicast() {
 				return &models.ErrInvalidCloneAddr{Host: u.Host, PrivateNet: addr.String(), IsPermissionDenied: true}
 			}
 		}
@@ -474,13 +474,3 @@ func Init() error {
 
 	return nil
 }
-
-// TODO: replace with `ip.IsPrivate()` if min go version is bumped to 1.17
-func isIPPrivate(ip net.IP) bool {
-	if ip4 := ip.To4(); ip4 != nil {
-		return ip4[0] == 10 ||
-			(ip4[0] == 172 && ip4[1]&0xf0 == 16) ||
-			(ip4[0] == 192 && ip4[1] == 168)
-	}
-	return len(ip) == net.IPv6len && ip[0]&0xfe == 0xfc
-}

modules/setting/webhook.go

@@ -5,22 +5,26 @@
 package setting
 
 import (
+	"net"
 	"net/url"
+	"strings"
 
 	"code.gitea.io/gitea/modules/log"
 )
 
 var (
 	// Webhook settings
 	Webhook = struct {
-		QueueLength    int
-		DeliverTimeout int
-		SkipTLSVerify  bool
-		Types          []string
-		PagingNum      int
-		ProxyURL       string
-		ProxyURLFixed  *url.URL
-		ProxyHosts     []string
+		QueueLength       int
+		DeliverTimeout    int
+		SkipTLSVerify     bool
+		AllowedHostList   []string // loopback,private,global, or all, or CIDR list, or wildcard hosts
+		AllowedHostIPNets []*net.IPNet
+		Types             []string
+		PagingNum         int
+		ProxyURL          string
+		ProxyURLFixed     *url.URL
+		ProxyHosts        []string
 	}{
 		QueueLength:    1000,
 		DeliverTimeout: 5,
@@ -31,11 +35,29 @@ var (
 	}
 )
 
+// ParseWebhookAllowedHostList parses the ALLOWED_HOST_LIST value
+func ParseWebhookAllowedHostList(allowedHostListStr string) (allowedHostList []string, allowedHostIPNets []*net.IPNet) {
+	for _, s := range strings.Split(allowedHostListStr, ",") {
+		s = strings.TrimSpace(s)
+		if s == "" {
+			continue
+		}
+		_, ipNet, err := net.ParseCIDR(s)
+		if err == nil {
+			allowedHostIPNets = append(allowedHostIPNets, ipNet)
+		} else {
+			allowedHostList = append(allowedHostList, s)
+		}
+	}
+	return
+}
+
 func newWebhookService() {
 	sec := Cfg.Section("webhook")
 	Webhook.QueueLength = sec.Key("QUEUE_LENGTH").MustInt(1000)
 	Webhook.DeliverTimeout = sec.Key("DELIVER_TIMEOUT").MustInt(5)
 	Webhook.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool()
+	Webhook.AllowedHostList, Webhook.AllowedHostIPNets = ParseWebhookAllowedHostList(sec.Key("ALLOWED_HOST_LIST").MustString("global"))
 	Webhook.Types = []string{"gitea", "gogs", "slack", "discord", "dingtalk", "telegram", "msteams", "feishu", "matrix", "wechatwork"}
 	Webhook.PagingNum = sec.Key("PAGING_NUM").MustInt(10)
 	Webhook.ProxyURL = sec.Key("PROXY_URL").MustString("")

modules/util/util.go

@@ -9,6 +9,7 @@ import (
 	"crypto/rand"
 	"errors"
 	"math/big"
+	"net"
 	"strconv"
 	"strings"
 )
@@ -161,3 +162,13 @@ func RandomString(length int64) (string, error) {
 	}
 	return string(bytes), nil
 }
+
+// IsIPPrivate for net.IP.IsPrivate. TODO: replace with `ip.IsPrivate()` if min go version is bumped to 1.17
+func IsIPPrivate(ip net.IP) bool {
+	if ip4 := ip.To4(); ip4 != nil {
+		return ip4[0] == 10 ||
+			(ip4[0] == 172 && ip4[1]&0xf0 == 16) ||
+			(ip4[0] == 192 && ip4[1] == 168)
+	}
+	return len(ip) == net.IPv6len && ip[0]&0xfe == 0xfc
+}

services/webhook/deliver.go

@@ -16,19 +16,25 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
+	"syscall"
 	"time"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/proxy"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+
 	"github.com/gobwas/glob"
 )
 
+var contextKeyWebhookRequest interface{} = "contextKeyWebhookRequest"
+
 // Deliver deliver hook task
 func Deliver(t *models.HookTask) error {
 	w, err := models.GetWebhookByID(t.HookID)
@@ -171,7 +177,7 @@ func Deliver(t *models.HookTask) error {
 		return fmt.Errorf("Webhook task skipped (webhooks disabled): [%d]", t.ID)
 	}
 
-	resp, err := webhookHTTPClient.Do(req)
+	resp, err := webhookHTTPClient.Do(req.WithContext(context.WithValue(req.Context(), contextKeyWebhookRequest, req)))
 	if err != nil {
 		t.ResponseInfo.Body = fmt.Sprintf("Delivery: %v", err)
 		return err
@@ -288,19 +294,79 @@ func webhookProxy() func(req *http.Request) (*url.URL, error) {
 	}
 }
 
+func isWebhookRequestAllowed(allowedHostList []string, allowedHostIPNets []*net.IPNet, host string, ip net.IP) bool {
+	var allowed bool
+	ipStr := ip.String()
+loop:
+	for _, allowedHost := range allowedHostList {
+		switch allowedHost {
+		case "":
+			continue
+		case "all":
+			allowed = true
+			break loop
+		case "global":
+			if allowed = ip.IsGlobalUnicast() && !util.IsIPPrivate(ip); allowed {
+				break loop
+			}
+		case "private":
+			if allowed = util.IsIPPrivate(ip); allowed {
+				break loop
+			}
+		case "loopback":
+			if allowed = ip.IsLoopback(); allowed {
+				break loop
+			}
+		default:
+			if ok, _ := filepath.Match(allowedHost, host); ok {
+				allowed = true
+				break loop
+			}
+			if ok, _ := filepath.Match(allowedHost, ipStr); ok {
+				allowed = true
+				break loop
+			}
+		}
+	}
+	if !allowed {
+		for _, allowIPNet := range allowedHostIPNets {
+			if allowIPNet.Contains(ip) {
+				allowed = true
+				break
+			}
+		}
+	}
+	return allowed
+}
+
 // InitDeliverHooks starts the hooks delivery thread
 func InitDeliverHooks() {
 	timeout := time.Duration(setting.Webhook.DeliverTimeout) * time.Second
 
 	webhookHTTPClient = &http.Client{
+		Timeout: timeout,
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify},
 			Proxy:           webhookProxy(),
-			Dial: func(netw, addr string) (net.Conn, error) {
-				return net.DialTimeout(netw, addr, timeout) // dial timeout
+			DialContext: func(ctx context.Context, network, addrOrHost string) (net.Conn, error) {
+				dialer := net.Dialer{
+					Timeout: timeout,
+					Control: func(network, ipAddr string, c syscall.RawConn) error {
+						// in Control func, the addr was already resolved to IP:PORT format, there is no cost to do ResolveTCPAddr here
+						tcpAddr, err := net.ResolveTCPAddr(network, ipAddr)
+						req := ctx.Value(contextKeyWebhookRequest).(*http.Request)
+						if err != nil {
+							return fmt.Errorf("webhook can only call HTTP servers via TCP, deny '%s(%s:%s)', err=%v", req.Host, network, ipAddr, err)
+						}
+						if !isWebhookRequestAllowed(setting.Webhook.AllowedHostList, setting.Webhook.AllowedHostIPNets, req.Host, tcpAddr.IP) {
+							return fmt.Errorf("webhook can only call allowed HTTP servers (check your webhook.ALLOWED_HOST_LIST setting), deny '%s(%s)'", req.Host, ipAddr)
+						}
+						return nil
+					},
+				}
+				return dialer.DialContext(ctx, network, addrOrHost)
 			},
 		},
-		Timeout: timeout, // request timeout
 	}
 
 	go graceful.GetManager().RunWithShutdownContext(DeliverHooks)

services/webhook/deliver_test.go

@@ -5,6 +5,7 @@
 package webhook
 
 import (
+	"net"
 	"net/http"
 	"net/url"
 	"testing"
@@ -37,3 +38,84 @@ func TestWebhookProxy(t *testing.T) {
 		}
 	}
 }
+
+func TestIsWebhookRequestAllowed(t *testing.T) {
+	type tc struct {
+		host     string
+		ip       net.IP
+		expected bool
+	}
+
+	ah, an := setting.ParseWebhookAllowedHostList("private, global, *.google.com, 169.254.1.0/24")
+	cases := []tc{
+		{"", net.IPv4zero, false},
+
+		{"", net.ParseIP("127.0.0.1"), false},
+
+		{"", net.ParseIP("10.0.1.1"), true},
+		{"", net.ParseIP("192.168.1.1"), true},
+
+		{"", net.ParseIP("8.8.8.8"), true},
+
+		{"google.com", net.IPv4zero, false},
+		{"sub.google.com", net.IPv4zero, true},
+
+		{"", net.ParseIP("169.254.1.1"), true},
+		{"", net.ParseIP("169.254.2.2"), false},
+	}
+	for _, c := range cases {
+		assert.Equalf(t, c.expected, isWebhookRequestAllowed(ah, an, c.host, c.ip), "case %s(%v)", c.host, c.ip)
+	}
+
+	ah, an = setting.ParseWebhookAllowedHostList("loopback")
+	cases = []tc{
+		{"", net.IPv4zero, false},
+		{"", net.ParseIP("127.0.0.1"), true},
+		{"", net.ParseIP("10.0.1.1"), false},
+		{"", net.ParseIP("192.168.1.1"), false},
+		{"", net.ParseIP("8.8.8.8"), false},
+		{"google.com", net.IPv4zero, false},
+	}
+	for _, c := range cases {
+		assert.Equalf(t, c.expected, isWebhookRequestAllowed(ah, an, c.host, c.ip), "case %s(%v)", c.host, c.ip)
+	}
+
+	ah, an = setting.ParseWebhookAllowedHostList("private")
+	cases = []tc{
+		{"", net.IPv4zero, false},
+		{"", net.ParseIP("127.0.0.1"), false},
+		{"", net.ParseIP("10.0.1.1"), true},
+		{"", net.ParseIP("192.168.1.1"), true},
+		{"", net.ParseIP("8.8.8.8"), false},
+		{"google.com", net.IPv4zero, false},
+	}
+	for _, c := range cases {
+		assert.Equalf(t, c.expected, isWebhookRequestAllowed(ah, an, c.host, c.ip), "case %s(%v)", c.host, c.ip)
+	}
+
+	ah, an = setting.ParseWebhookAllowedHostList("global")
+	cases = []tc{
+		{"", net.IPv4zero, false},
+		{"", net.ParseIP("127.0.0.1"), false},
+		{"", net.ParseIP("10.0.1.1"), false},
+		{"", net.ParseIP("192.168.1.1"), false},
+		{"", net.ParseIP("8.8.8.8"), true},
+		{"google.com", net.IPv4zero, false},
+	}
+	for _, c := range cases {
+		assert.Equalf(t, c.expected, isWebhookRequestAllowed(ah, an, c.host, c.ip), "case %s(%v)", c.host, c.ip)
+	}
+
+	ah, an = setting.ParseWebhookAllowedHostList("all")
+	cases = []tc{
+		{"", net.IPv4zero, true},
+		{"", net.ParseIP("127.0.0.1"), true},
+		{"", net.ParseIP("10.0.1.1"), true},
+		{"", net.ParseIP("192.168.1.1"), true},
+		{"", net.ParseIP("8.8.8.8"), true},
+		{"google.com", net.IPv4zero, true},
+	}
+	for _, c := range cases {
+		assert.Equalf(t, c.expected, isWebhookRequestAllowed(ah, an, c.host, c.ip), "case %s(%v)", c.host, c.ip)
+	}
+}