viscous/espocrm
1
0
Fork 0
mirror of https://github.com/espocrm/espocrm.git synced 2026-06-27 22:46:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

url check webhook

Browse Source
This commit is contained in:
Yurii
2026-03-23 09:28:27 +02:00
parent dca03cc345
commit 50f07e2da1
2 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
application/Espo/Core/Utils/Security/UrlCheck.php
View File

@@ -130,14 +130,17 @@ class UrlCheck
/**
* @param string[] $resolve
* @param string[] $allowed An allowed address list in the `{host}:{port}` format.
* @internal
*/
public function validateCurlResolveNotInternal(array $resolve): bool
public function validateCurlResolveNotInternal(array $resolve, array $allowed = []): bool
{
if ($resolve === []) {
return false;
}
$ipAddresses = [];
foreach ($resolve as $item) {
$arr = explode(':', $item, 3);
@@ -146,11 +149,21 @@ class UrlCheck
}
$ipAddress = $arr[2];
$port = $arr[1];
$domain = $arr[0];
if (in_array("$ipAddress:$port", $allowed) || in_array("$domain:$port", $allowed)) {
return true;
}
if (str_starts_with($ipAddress, '[') && str_ends_with($ipAddress, ']')) {
$ipAddress = substr($ipAddress, 1, -1);
}
$ipAddresses[] = $ipAddress;
}
foreach ($ipAddresses as $ipAddress) {
if (!$this->hostCheck->ipAddressIsNotInternal($ipAddress)) {
return false;
}

17
application/Espo/Core/Webhook/Sender.php
View File

@@ -100,6 +100,19 @@ class Sender
throw new Error("URL '$url' points to an internal host, not allowed.");
}
$resolve = $this->urlCheck->getCurlResolve($url);
if ($resolve === []) {
throw new Error("Could not resolve the host.");
}
/** @var string[] $allowedAddressList */
$allowedAddressList = $this->config->get('webhookAllowedAddressList') ?? [];
if ($resolve !== null && !$this->urlCheck->validateCurlResolveNotInternal($resolve, $allowedAddressList)) {
throw new Error("Forbidden host.");
}
$handler = curl_init($url);
if ($handler === false) {
@@ -118,6 +131,10 @@ class Sender
curl_setopt($handler, \CURLOPT_HTTPHEADER, $headerList);
curl_setopt($handler, \CURLOPT_POSTFIELDS, $payload);
if ($resolve) {
curl_setopt($handler, CURLOPT_RESOLVE, $resolve);
}
curl_exec($handler);
$code = curl_getinfo($handler, \CURLINFO_HTTP_CODE);