مراية لـ
https://github.com/postalserver/postal.git
تم المزامنة 2026-06-03 21:45:48 +00:00
11c9814474
Webhook and HTTP message endpoint deliveries both flow through Postal::HTTP, which parsed the user-supplied URL and connected to its host with no address validation. An authenticated user could point a webhook or endpoint at a private, loopback or link-local address (e.g. 127.0.0.1, 169.254.169.254 cloud metadata, RFC1918 hosts) and make the server issue requests into its own internal network. Add Postal::HTTP::AddressGuard, which resolves the destination host and rejects private/loopback/link-local/reserved/multicast IPv4 and IPv6 addresses, then pins the connection to the validated address so it cannot be redirected via a DNS-rebinding race. Administrators can permit specific destinations via the new postal.allowed_request_destinations config option (hostnames or IP/CIDR ranges). Address selection only uses families this server can actually reach so we do not pin to an IPv6 address on a host without IPv6 connectivity; IPv4 is preferred for predictability. HTTPEndpoint now validates that its URL is a well-formed HTTP(S) URL with a host.
39 أسطر
896 B
Ruby
39 أسطر
896 B
Ruby
# frozen_string_literal: true
|
|
|
|
require "rails_helper"
|
|
|
|
RSpec.describe HTTPEndpoint do
|
|
describe "validations" do
|
|
subject(:endpoint) { build(:http_endpoint, url: url) }
|
|
|
|
[
|
|
"https://example.com/messages/~user;v=1?token=a+b#section",
|
|
"http://example.com:8080/path?x=1&y=2",
|
|
"https://[2606:2800:220:1:248:1893:25c8:1946]/hook",
|
|
].each do |valid_url|
|
|
context "with #{valid_url}" do
|
|
let(:url) { valid_url }
|
|
|
|
it "is valid" do
|
|
expect(endpoint).to be_valid
|
|
end
|
|
end
|
|
end
|
|
|
|
[
|
|
"ftp://example.com/hook",
|
|
"https:///missing-host",
|
|
"not a url",
|
|
].each do |invalid_url|
|
|
context "with #{invalid_url}" do
|
|
let(:url) { invalid_url }
|
|
|
|
it "is invalid" do
|
|
expect(endpoint).not_to be_valid
|
|
expect(endpoint.errors[:url]).to be_present
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|