-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only allow webhook to send requests to allowed hosts (backport #17482) #17510
Merged
zeripath
merged 4 commits into
go-gitea:release/v1.15
from
wxiaoguang:backport-webhook-request
Nov 6, 2021
Merged
Only allow webhook to send requests to allowed hosts (backport #17482) #17510
zeripath
merged 4 commits into
go-gitea:release/v1.15
from
wxiaoguang:backport-webhook-request
Nov 6, 2021
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wxiaoguang
added
type/enhancement
An improvement of existing functionality
topic/security
Something leaks user information or is otherwise vulnerable. Should be fixed!
labels
Nov 1, 2021
delvh
approved these changes
Nov 1, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do have to wonder: What are the three extra lines you deleted?
GiteaBot
added
the
lgtm/need 1
This PR needs approval from one additional maintainer to be merged.
label
Nov 1, 2021
"the three extra lines you deleted": What lines do you mean? |
lafriks
requested changes
Nov 2, 2021
lunny
reviewed
Nov 3, 2021
richmahn
approved these changes
Nov 5, 2021
GiteaBot
added
lgtm/done
This PR has enough approvals to get merged. There are no important open reservations anymore.
and removed
lgtm/need 1
This PR needs approval from one additional maintainer to be merged.
labels
Nov 5, 2021
@lafriks awaiting your review |
lafriks
approved these changes
Nov 6, 2021
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
lgtm/done
This PR has enough approvals to get merged. There are no important open reservations anymore.
topic/security
Something leaks user information or is otherwise vulnerable. Should be fixed!
type/enhancement
An improvement of existing functionality
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #17482 (as requested in the PR)
For security reasons, the webhook should only send requests to allowed hosts.
This PR introduces a setting option:
ALLOWED_HOST_LIST
: external: Webhook can only call allowed hosts for security reasons. Comma separated list:loopback
,private
,external
, or*
, or CIDR list (1.2.3.0/8), or wildcard hosts (*.mydomain.com)