SECURITY: Expand and improve SSRF Protections (#18815)

See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2025-05-24 03:36:18 +08:00 · 2022-11-01 16:33:17 +00:00
parent 695b44269b
commit 68b4fe4cf8
42 changed files with 1164 additions and 443 deletions
--- a/spec/requests/admin/web_hooks_controller_spec.rb
+++ b/spec/requests/admin/web_hooks_controller_spec.rb
@ -94,5 +94,63 @@ RSpec.describe Admin::WebHooksController do
        expect(job_args["event_type"]).to eq("ping")
      end
    end
+
+    describe '#redeliver_event' do
+      let!(:web_hook_event) do
+        WebHookEvent.create!(
+          web_hook: web_hook,
+          payload: "abc",
+          headers: JSON.dump(aa: "1", bb: "2"),
+        )
+      end
+
+      it 'emits the web hook and updates the response headers and body' do
+        stub_request(:post, web_hook.payload_url)
+          .with(body: "abc", headers: { "aa" => 1, "bb" => 2 })
+          .to_return(
+            status: 402,
+            body: "efg",
+            headers: { "Content-Type" => "application/json", "yoo" => "man" }
+          )
+        post "/admin/api/web_hooks/#{web_hook.id}/events/#{web_hook_event.id}/redeliver.json"
+        expect(response.status).to eq(200)
+
+        parsed_event = response.parsed_body["web_hook_event"]
+        expect(parsed_event["id"]).to eq(web_hook_event.id)
+        expect(parsed_event["status"]).to eq(402)
+
+        expect(JSON.parse(parsed_event["headers"])).to eq({ "aa" => "1", "bb" => "2" })
+        expect(parsed_event["payload"]).to eq("abc")
+
+        expect(JSON.parse(parsed_event["response_headers"])).to eq({ "content-type" => "application/json", "yoo" => "man" })
+        expect(parsed_event["response_body"]).to eq("efg")
+      end
+
+      it "doesn't emit the web hook if the payload URL resolves to an internal IP" do
+        FinalDestination::TestHelper.stub_to_fail do
+          post "/admin/api/web_hooks/#{web_hook.id}/events/#{web_hook_event.id}/redeliver.json"
+        end
+        expect(response.status).to eq(200)
+
+        parsed_event = response.parsed_body["web_hook_event"]
+        expect(parsed_event["id"]).to eq(web_hook_event.id)
+        expect(parsed_event["response_headers"]).to eq({ error: I18n.t("webhooks.payload_url.blocked_or_internal") }.to_json)
+        expect(parsed_event["status"]).to eq(-1)
+        expect(parsed_event["response_body"]).to eq(nil)
+      end
+
+      it "doesn't emit the web hook if the payload URL resolves to a blocked IP" do
+        FinalDestination::TestHelper.stub_to_fail do
+          post "/admin/api/web_hooks/#{web_hook.id}/events/#{web_hook_event.id}/redeliver.json"
+        end
+        expect(response.status).to eq(200)
+
+        parsed_event = response.parsed_body["web_hook_event"]
+        expect(parsed_event["id"]).to eq(web_hook_event.id)
+        expect(parsed_event["response_headers"]).to eq({ error: I18n.t("webhooks.payload_url.blocked_or_internal") }.to_json)
+        expect(parsed_event["status"]).to eq(-1)
+        expect(parsed_event["response_body"]).to eq(nil)
+      end
+    end
  end
 end