feat(webhook): add private IP checks and DNS validation for webhook delivery

Dobrunia · Dobrunia · commit 8acee1459de6 · 2026-02-18T15:28:00.000+03:00
diff --git a/workers/webhook/src/deliverer.ts b/workers/webhook/src/deliverer.ts
@@ -1,5 +1,6 @@
 import https from 'https';
 import http from 'http';
+import dns from 'dns';
 import { createLogger, format, Logger, transports } from 'winston';
 import { WebhookDelivery } from '../types/template';
 
@@ -13,6 +14,36 @@ const DELIVERY_TIMEOUT_MS = 10000;
  */
 const HTTP_ERROR_STATUS = 400;
 
+/**
+ * Checks whether an IPv4 or IPv6 address belongs to a private/reserved range.
+ * Blocks loopback, link-local, RFC1918, metadata IPs and IPv6 equivalents.
+ */
+function isPrivateIP(ip: string): boolean {
+  const parts = ip.split('.').map(Number);
+
+  if (parts.length === 4 && parts.every((p) => p >= 0 && p <= 255)) {
+    return (
+      parts[0] === 127 ||
+      parts[0] === 10 ||
+      parts[0] === 0 ||
+      (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) ||
+      (parts[0] === 192 && parts[1] === 168) ||
+      (parts[0] === 169 && parts[1] === 254) ||
+      (parts[0] === 100 && parts[1] >= 64 && parts[1] <= 127)
+    );
+  }
+
+  const lower = ip.toLowerCase();
+
+  return (
+    lower === '::1' ||
+    lower.startsWith('fe80') ||
+    lower.startsWith('fc') ||
+    lower.startsWith('fd') ||
+    lower === '::')
+  ;
+}
+
 /**
  * Deliverer sends JSON POST requests to external webhook endpoints
  */
@@ -45,6 +76,35 @@ export default class WebhookDeliverer {
   public async deliver(endpoint: string, delivery: WebhookDelivery): Promise<void> {
     const body = JSON.stringify(delivery);
     const url = new URL(endpoint);
+
+    if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+      this.logger.log('error', `Webhook blocked — unsupported protocol: ${url.protocol} for ${endpoint}`);
+
+      return;
+    }
+
+    const hostname = url.hostname;
+
+    if (isPrivateIP(hostname)) {
+      this.logger.log('error', `Webhook blocked — private IP in URL: ${endpoint}`);
+
+      return;
+    }
+
+    try {
+      const { address } = await dns.promises.lookup(hostname);
+
+      if (isPrivateIP(address)) {
+        this.logger.log('error', `Webhook blocked — ${hostname} resolves to private IP ${address}`);
+
+        return;
+      }
+    } catch (e) {
+      this.logger.log('error', `Webhook blocked — DNS lookup failed for ${hostname}: ${(e as Error).message}`);
+
+      return;
+    }
+
     const transport = url.protocol === 'https:' ? https : http;
 
     return new Promise<void>((resolve) => {
