fix(security): SSRF vulnerability in webhook URL validation

Bill · Bill · commit 51fd8c4e2e02 · 2026-03-02T05:14:46.000-05:00
The previous URL validation regex `/^https?:\/\/.+/` was too permissive and allowed requests to internal/private network addresses, including: - localhost - 127.0.0.1 and other loopback addresses - 169.254.169.254 (AWS metadata endpoint) - Private IP ranges (10.x, 172.16-31.x, 192.168.x) Changes: - Add src/api/utils/ssrfProtection.js with comprehensive URL validation - Block private/internal IP ranges, link-local addresses, and localhost variants - Add DNS resolution check to prevent DNS rebinding attacks (async version) - Update notifications.js route to use SSRF-safe validation - Add extensive tests for blocked and allowed URLs Fixes security vulnerability in webhook notification feature (PR #219).
diff --git a/src/api/routes/notifications.js b/src/api/routes/notifications.js
@@ -11,6 +11,7 @@ import { Router } from 'express';
 import { info, error as logError } from '../../logger.js';
 import { getConfig, setConfigValue } from '../../modules/config.js';
 import { getDeliveryLog, testEndpoint, WEBHOOK_EVENTS } from '../../modules/webhookNotifier.js';
+import { validateUrlForSsrfSync } from '../utils/ssrfProtection.js';
 
 const router = Router();
 
@@ -120,8 +121,10 @@ router.post('/:guildId/notifications/webhooks', async (req, res) => {
     return res.status(400).json({ error: 'Missing or invalid "url"' });
   }
 
-  if (!/^https:\/\/.+/.test(url)) {
-    return res.status(400).json({ error: '"url" must be a valid HTTPS URL' });
+  // SSRF-safe URL validation - require HTTPS to prevent DNS rebinding attacks
+  const urlValidation = validateUrlForSsrfSync(url);
+  if (!urlValidation.valid) {
+    return res.status(400).json({ error: urlValidation.error });
   }
 
   if (!Array.isArray(events) || events.length === 0) {
diff --git a/src/api/utils/ssrfProtection.js b/src/api/utils/ssrfProtection.js
@@ -0,0 +1,300 @@
+/**
+ * SSRF Protection Utilities
+ *
+ * Validates URLs to prevent Server-Side Request Forgery attacks by blocking
+ * requests to internal/private network addresses.
+ */
+
+/**
+ * Check if a hostname resolves to a blocked IP address.
+ * This handles DNS rebinding attacks by checking the resolved IP.
+ *
+ * @param {string} hostname - The hostname to check
+ * @returns {Promise<string|null>} The blocked IP if found, null if safe
+ */
+async function resolveAndCheckIp(hostname) {
+  // Only perform DNS resolution in Node.js runtime
+  if (typeof process === 'undefined') return null;
+
+  const dns = await import('node:dns').catch(() => null);
+  if (!dns) return null;
+
+  return new Promise((resolve) => {
+    dns.lookup(hostname, { all: true }, (err, addresses) => {
+      if (err || !addresses) {
+        resolve(null);
+        return;
+      }
+
+      for (const addr of addresses) {
+        if (isBlockedIp(addr.address)) {
+          resolve(addr.address);
+          return;
+        }
+      }
+      resolve(null);
+    });
+  });
+}
+
+/**
+ * Check if an IP address is in a blocked range.
+ * Blocks:
+ * - Loopback (127.0.0.0/8)
+ * - Link-local (169.254.0.0/16) - includes AWS metadata at 169.254.169.254
+ * - Private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
+ * - Localhost IPv6 (::1)
+ * - IPv6 link-local (fe80::/10)
+ *
+ * @param {string} ip - The IP address to check
+ * @returns {boolean} True if the IP is blocked
+ */
+export function isBlockedIp(ip) {
+  // Normalize IPv6 addresses
+  const normalizedIp = ip.toLowerCase().trim();
+
+  // IPv6 loopback
+  if (normalizedIp === '::1' || normalizedIp === '0:0:0:0:0:0:0:1') {
+    return true;
+  }
+
+  // IPv6 link-local (fe80::/10)
+  if (normalizedIp.startsWith('fe80:')) {
+    return true;
+  }
+
+  // IPv4-mapped IPv6 addresses (::ffff:192.168.1.1)
+  const ipv4MappedMatch = normalizedIp.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i);
+  if (ipv4MappedMatch) {
+    return isBlockedIp(ipv4MappedMatch[1]);
+  }
+
+  // IPv4 checks
+  const parts = normalizedIp.split('.');
+  if (parts.length !== 4) {
+    // Not a valid IPv4, let it pass (will fail elsewhere)
+    return false;
+  }
+
+  const octets = parts.map((p) => {
+    const num = parseInt(p, 10);
+    return Number.isNaN(num) ? -1 : num;
+  });
+
+  // Invalid octets
+  if (octets.some((o) => o < 0 || o > 255)) {
+    return false;
+  }
+
+  const [first, second] = octets;
+
+  // Loopback: 127.0.0.0/8
+  if (first === 127) {
+    return true;
+  }
+
+  // Link-local: 169.254.0.0/16 (includes AWS metadata endpoint)
+  if (first === 169 && second === 254) {
+    return true;
+  }
+
+  // Private: 10.0.0.0/8
+  if (first === 10) {
+    return true;
+  }
+
+  // Private: 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
+  if (first === 172 && second >= 16 && second <= 31) {
+    return true;
+  }
+
+  // Private: 192.168.0.0/16
+  if (first === 192 && second === 168) {
+    return true;
+  }
+
+  // 0.0.0.0/8 - "this network"
+  if (first === 0) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Check if a hostname is a blocked literal (like "localhost")
+ *
+ * @param {string} hostname - The hostname to check
+ * @returns {boolean} True if the hostname is blocked
+ */
+function isBlockedHostname(hostname) {
+  const normalized = hostname.toLowerCase().trim();
+
+  // Block localhost variants
+  const blockedHostnames = [
+    'localhost',
+    'localhost.localdomain',
+    'ip6-localhost',
+    'ip6-loopback',
+    'ip6-localnet',
+    'ip6-mcastprefix',
+  ];
+
+  if (blockedHostnames.includes(normalized)) {
+    return true;
+  }
+
+  // Block hostnames that end with .local, .localhost, .internal, .localdomain
+  const blockedSuffixes = ['.local', '.localhost', '.internal', '.localdomain', '.home', '.home.arpa'];
+  if (blockedSuffixes.some((suffix) => normalized.endsWith(suffix))) {
+    return true;
+  }
+
+  // Block if the hostname is a raw IP address that's blocked
+  // IPv4 check
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(normalized)) {
+    return isBlockedIp(normalized);
+  }
+
+  // IPv6 check (basic patterns)
+  if (normalized.includes(':') && (normalized.startsWith('::1') || normalized.startsWith('fe80:'))) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Validation result for SSRF-safe URL check
+ *
+ * @typedef {Object} UrlValidationResult
+ * @property {boolean} valid - Whether the URL is safe to use
+ * @property {string} [error] - Error message if invalid
+ * @property {string} [blockedIp] - The blocked IP address if found during DNS resolution
+ */
+
+/**
+ * Validate a URL for SSRF safety.
+ * Checks both the hostname literal and performs DNS resolution to prevent
+ * DNS rebinding attacks.
+ *
+ * @param {string} urlString - The URL to validate
+ * @param {Object} [options] - Validation options
+ * @param {boolean} [options.allowHttp=false] - Allow HTTP (not just HTTPS)
+ * @param {boolean} [options.checkDns=true] - Perform DNS resolution check
+ * @returns {Promise<UrlValidationResult>} Validation result
+ */
+export async function validateUrlForSsrf(urlString, options = {}) {
+  const { allowHttp = false, checkDns = true } = options;
+
+  // Basic URL parsing
+  let url;
+  try {
+    url = new URL(urlString);
+  } catch {
+    return { valid: false, error: 'Invalid URL format' };
+  }
+
+  // Protocol check
+  const allowedProtocols = allowHttp ? ['https:', 'http:'] : ['https:'];
+  if (!allowedProtocols.includes(url.protocol)) {
+    return {
+      valid: false,
+      error: allowHttp
+        ? 'URL must use HTTP or HTTPS protocol'
+        : 'URL must use HTTPS protocol',
+    };
+  }
+
+  const hostname = url.hostname;
+
+  // Check for blocked hostnames (localhost, etc.)
+  if (isBlockedHostname(hostname)) {
+    return {
+      valid: false,
+      error: 'URL hostname is not allowed (private/internal addresses are blocked)',
+    };
+  }
+
+  // Check if hostname is already an IP and if it's blocked
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    if (isBlockedIp(hostname)) {
+      return {
+        valid: false,
+        error: 'URL resolves to a blocked IP address (private/internal ranges are not allowed)',
+      };
+    }
+  } else if (checkDns) {
+    // Perform DNS resolution to prevent DNS rebinding
+    const blockedIp = await resolveAndCheckIp(hostname);
+    if (blockedIp) {
+      return {
+        valid: false,
+        error: `URL hostname resolves to blocked IP address ${blockedIp} (private/internal ranges are not allowed)`,
+        blockedIp,
+      };
+    }
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Synchronous version of SSRF validation for cases where DNS resolution
+ * is not possible or desired. Use the async version when possible.
+ *
+ * @param {string} urlString - The URL to validate
+ * @param {Object} [options] - Validation options
+ * @param {boolean} [options.allowHttp=false] - Allow HTTP (not just HTTPS)
+ * @returns {UrlValidationResult} Validation result
+ */
+export function validateUrlForSsrfSync(urlString, options = {}) {
+  const { allowHttp = false } = options;
+
+  // Basic URL parsing
+  let url;
+  try {
+    url = new URL(urlString);
+  } catch {
+    return { valid: false, error: 'Invalid URL format' };
+  }
+
+  // Protocol check
+  const allowedProtocols = allowHttp ? ['https:', 'http:'] : ['https:'];
+  if (!allowedProtocols.includes(url.protocol)) {
+    return {
+      valid: false,
+      error: allowHttp
+        ? 'URL must use HTTP or HTTPS protocol'
+        : 'URL must use HTTPS protocol',
+    };
+  }
+
+  const hostname = url.hostname;
+
+  // Check for blocked hostnames
+  if (isBlockedHostname(hostname)) {
+    return {
+      valid: false,
+      error: 'URL hostname is not allowed (private/internal addresses are blocked)',
+    };
+  }
+
+  // Check if hostname is a raw IP and if it's blocked
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    if (isBlockedIp(hostname)) {
+      return {
+        valid: false,
+        error: 'URL points to a blocked IP address (private/internal ranges are not allowed)',
+      };
+    }
+  }
+
+  return { valid: true };
+}
+
+export default {
+  validateUrlForSsrf,
+  validateUrlForSsrfSync,
+  isBlockedIp,
+};
diff --git a/tests/api/routes/notifications.test.js b/tests/api/routes/notifications.test.js
@@ -252,6 +252,52 @@ describe('notifications routes', () => {
 
       expect(res.status).toBe(401);
     });
+
+    // ── SSRF Protection ─────────────────────────────────────────────────────
+
+    const blockedUrls = [
+      { url: 'https://localhost/webhook', desc: 'localhost' },
+      { url: 'https://localhost:8080/webhook', desc: 'localhost with port' },
+      { url: 'https://127.0.0.1/webhook', desc: '127.0.0.1 loopback' },
+      { url: 'https://127.0.0.1:3000/webhook', desc: '127.0.0.1 with port' },
+      { url: 'https://169.254.169.254/latest/meta-data/', desc: 'AWS metadata endpoint' },
+      { url: 'https://10.0.0.1/webhook', desc: '10.x private range' },
+      { url: 'https://10.255.255.255/webhook', desc: '10.x upper bound' },
+      { url: 'https://172.16.0.1/webhook', desc: '172.16.x private range' },
+      { url: 'https://172.31.255.255/webhook', desc: '172.31.x private range upper' },
+      { url: 'https://192.168.0.1/webhook', desc: '192.168.x private range' },
+      { url: 'https://192.168.255.255/webhook', desc: '192.168.x upper bound' },
+      { url: 'https://0.0.0.0/webhook', desc: '0.0.0.0 this-network' },
+      { url: 'https://myserver.local/webhook', desc: 'local domain' },
+      { url: 'https://api.internal/webhook', desc: 'internal domain' },
+      { url: 'https://app.localhost/webhook', desc: 'localhost domain' },
+    ];
+
+    it.each(blockedUrls)('should reject $desc', async ({ url }) => {
+      const res = await request(app)
+        .post(`/api/v1/guilds/${GUILD_ID}/notifications/webhooks`)
+        .set(authHeaders())
+        .send({ url, events: ['bot.error'] });
+
+      expect(res.status).toBe(400);
+      expect(res.body.error).toMatch(/not allowed|blocked|private|internal/i);
+    });
+
+    const allowedUrls = [
+      { url: 'https://example.com/webhook', desc: 'public domain' },
+      { url: 'https://api.example.com/v1/webhook', desc: 'public domain with path' },
+      { url: 'https://example.com:8443/webhook', desc: 'public domain with port' },
+      { url: 'https://example.com/webhook?token=abc', desc: 'public domain with query' },
+    ];
+
+    it.each(allowedUrls)('should accept $desc', async ({ url }) => {
+      const res = await request(app)
+        .post(`/api/v1/guilds/${GUILD_ID}/notifications/webhooks`)
+        .set(authHeaders())
+        .send({ url, events: ['bot.error'] });
+
+      expect(res.status).toBe(201);
+    });
   });
 
   // ── DELETE /guilds/:guildId/notifications/webhooks/:endpointId ────────────
diff --git a/tests/api/utils/ssrfProtection.test.js b/tests/api/utils/ssrfProtection.test.js
