Skip to content

Security: Webhook URL SSRF vulnerability - no validation of internal/private network URLs #4

Closed
#33
Closed
Security: Webhook URL SSRF vulnerability - no validation of internal/private network URLs#4
#33
Labels
julesFor Jules AI to work onlang:phpPHP/Laravel
@Snider

Description

@Snider
Snider
opened on Feb 1, 2026

Description

The WebhookEndpoint::createForWorkspace() method and the webhook delivery system do not validate that the webhook URL does not point to internal or private network addresses. This creates a Server-Side Request Forgery (SSRF) vulnerability.

Location

  • src/Api/Models/WebhookEndpoint.php:102-118 - createForWorkspace() method
  • src/Api/Jobs/DeliverWebhookJob.php:88-91 - HTTP request to arbitrary URLs

Security Impact

An attacker could:

  1. Register a webhook endpoint pointing to http://127.0.0.1:XXX, http://localhost, http://192.168.x.x, http://10.x.x.x, or http://169.254.169.254 (AWS metadata)
  2. Trigger events that cause the server to make HTTP requests to internal services
  3. Potentially access cloud provider metadata endpoints, internal APIs, or scan internal network ports

Recommended Fix

  1. Create a URL validation service that checks webhook URLs:

    • Block localhost, 127.0.0.1, ::1
    • Block private network ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
    • Block link-local (169.254.x.x)
    • Block cloud metadata endpoints (169.254.169.254)
    • Optionally require HTTPS-only webhooks
    • Resolve DNS and validate the resolved IP is not internal

  2. Apply validation in WebhookEndpoint::createForWorkspace() and any update methods

Example

class WebhookUrlValidator
{
    private const BLOCKED_HOSTS = ['localhost', 'localhost.localdomain'];
    
    public function validate(string $url): bool
    {
        $parsed = parse_url($url);
        $host = $parsed['host'] ?? '';
        
        // Block common localhost names
        if (in_array(strtolower($host), self::BLOCKED_HOSTS)) {
            return false;
        }
        
        // Resolve and check IP
        $ip = gethostbyname($host);
        return !$this->isPrivateOrReservedIp($ip);
    }
}

Priority

High - SSRF vulnerabilities can lead to significant security breaches in cloud environments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    julesFor Jules AI to work onlang:phpPHP/Laravel

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions