Skip to content

fix(security): add SSRF protection, HMAC signatures, and response limit for webhooks#572

Merged
lakhansamani merged 1 commit intomainfrom
fix/webhook-security
Apr 5, 2026
Merged

fix(security): add SSRF protection, HMAC signatures, and response limit for webhooks#572
lakhansamani merged 1 commit intomainfrom
fix/webhook-security

Conversation

@lakhansamani
Copy link
Copy Markdown
Contributor

@lakhansamani lakhansamani commented Apr 4, 2026

Summary

  • SSRF Protection (HIGH): Webhook endpoints are now validated against private/internal IP ranges (RFC1918, link-local, localhost) during dispatch, creation, and update
  • HMAC Signatures (MEDIUM): Webhook payloads are signed with HMAC-SHA256 using the client secret, sent via X-Authorizer-Signature header
  • Response Size Limit (LOW): Webhook response bodies capped at 1MB via io.LimitReader

Files Changed

  • internal/validators/endpoint.go — new shared SSRF validation
  • internal/events/events.go — SSRF check + HMAC signature + response limit
  • internal/graphql/add_webhook.go — SSRF validation on create
  • internal/graphql/update_webhook.go — SSRF validation on update
  • internal/graphql/test_endpoint.go — use shared validator

Test plan

  • make test-sqlite passes (no regressions)
  • Verify webhooks to public URLs still work
  • Verify webhooks to private IPs (127.0.0.1, 169.254.x.x) are rejected
  • Verify X-Authorizer-Signature header is present on webhook requests

@lakhansamani lakhansamani merged commit 1cbe45e into main Apr 5, 2026
@lakhansamani lakhansamani deleted the fix/webhook-security branch April 5, 2026 01:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lakhansamani