chore(main): release 3.3.7 (#3577 )

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
doc: update config with new allowed request destinations option
2026-06-03 21:45:48 +00:00 · 2026-06-03 16:24:45 +01:00 · 2026-06-03 15:52:46 +01:00 · 2026-06-03 15:43:02 +01:00
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "3.3.6"
+  ".": "3.3.7"
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,21 @@

 This file contains all the latest changes and updates to Postal.

+## [3.3.7](https://github.com/postalserver/postal/compare/3.3.6...3.3.7) (2026-06-03)
+
+
+### Bug Fixes
+
+* **http:** prevent SSRF in outbound webhook and HTTP endpoint requests ([11c9814](https://github.com/postalserver/postal/commit/11c9814474f956619da35e8385ef7fab9f304de0))
+* **message-db:** prevent SQL injection via condition keys (GHSA-x2hq-rfpg-3xr5) ([4314a6e](https://github.com/postalserver/postal/commit/4314a6ec1e2812daa67dd20effd1db1769c1f8e8))
+* **specs:** stub IPv6 support in address guard IPv6 literal spec ([029bfe0](https://github.com/postalserver/postal/commit/029bfe098d9b8c0b5cafc49eac33e767f5748cd3))
+
+
+### Miscellaneous Chores
+
+* **deps:** upgrade rack & rails ([0445e5c](https://github.com/postalserver/postal/commit/0445e5c509870dfe9c16366c53dee3fc02ad3904))
+* update security vulnerability reporting instructions ([8be1e27](https://github.com/postalserver/postal/commit/8be1e27fec489ab659ef5e909f705932028b1694))
+
 ## [3.3.6](https://github.com/postalserver/postal/compare/3.3.5...3.3.6) (2026-04-28)


--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -134,14 +134,12 @@ GEM
    factory_bot_rails (6.4.3)
      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faraday (2.14.2)
-      faraday-net_http (>= 2.0, < 3.5)
-      json
-      logger
+    faraday (2.9.0)
+      faraday-net_http (>= 2.0, < 3.2)
    faraday-follow_redirects (0.3.0)
      faraday (>= 1, < 3)
-    faraday-net_http (3.4.4)
-      net-http (~> 0.5)
+    faraday-net_http (3.1.0)
+      net-http
    ffi (1.15.5)
    gelf (3.1.0)
      json
@@ -211,8 +209,8 @@ GEM
      prism (~> 1.5)
    mutex_m (0.3.0)
    mysql2 (0.5.6)
-    net-http (0.9.1)
-      uri (>= 0.11.1)
+    net-http (0.4.1)
+      uri
    net-imap (0.6.4)
      date
      net-protocol
@@ -420,7 +418,7 @@ GEM
    uglifier (4.2.0)
      execjs (>= 0.3.0, < 3)
    unicode-display_width (2.4.2)
-    uri (1.1.1)
+    uri (1.0.3)
    validate_url (1.0.15)
      activemodel (>= 3.0.0)
      public_suffix
--- a/doc/config/environment-variables.md
+++ b/doc/config/environment-variables.md
@@ -18,6 +18,7 @@ This document contains all the environment variables which are available for thi
 | `POSTAL_SIGNING_KEY_PATH` | String | Path to the private key used for signing | $config-file-root/signing.key |
 | `POSTAL_SMTP_RELAYS` | Array of strings | An array of SMTP relays in the format of smtp://host:port | [] |
 | `POSTAL_TRUSTED_PROXIES` | Array of strings | An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses) | [] |
+| `POSTAL_ALLOWED_REQUEST_DESTINATIONS` | Array of strings | Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF. | [] |
 | `POSTAL_QUEUED_MESSAGE_LOCK_STALE_DAYS` | Integer | The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried. | 1 |
 | `POSTAL_BATCH_QUEUED_MESSAGES` | Boolean | When enabled queued messages will be de-queued in batches based on their destination | true |
 | `WEB_SERVER_DEFAULT_PORT` | Integer | The default port the web server should listen on unless overriden by the PORT environment variable | 5000 |
--- a/doc/config/yaml.yml
+++ b/doc/config/yaml.yml
@@ -29,6 +29,8 @@ postal:
  smtp_relays: []
  # An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses)
  trusted_proxies: []
+  # Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF.
+  allowed_request_destinations: []
  # The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried.
  queued_message_lock_stale_days: 1
  # When enabled queued messages will be de-queued in batches based on their destination
--- a/spec/lib/postal/http/address_guard_spec.rb
+++ b/spec/lib/postal/http/address_guard_spec.rb
@@ -23,6 +23,8 @@ RSpec.describe Postal::HTTP::AddressGuard do
    context "when given a public IPv6 literal" do
      let(:host) { "2606:2800:220:1:248:1893:25c8:1946" }

+      before { allow(described_class).to receive(:ipv6_supported?).and_return(true) }
+
      it "returns the address to connect to" do
        expect(call).to eq "2606:2800:220:1:248:1893:25c8:1946"
      end
المؤلف	SHA1	الرسالة	التاريخ
github-actions[bot]	d038eaa8c7	chore(main): release 3.3.7 (#3577 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2026-06-03 16:24:45 +01:00
Adam Cooke	3b3defe271	doc: update config with new allowed request destinations option	2026-06-03 15:52:46 +01:00
Adam Cooke	029bfe098d	fix(specs): stub IPv6 support in address guard IPv6 literal spec The spec relied on the test machine having real IPv6 connectivity, which GitHub Actions runners do not have.	2026-06-03 15:43:02 +01:00