Skip to content

[Feature] : add secure redirects in webhook dispatches#3127

Open
hrshjswniii wants to merge 6 commits into
Priyanshu-byte-coder:mainfrom
hrshjswniii:feature/Redirects-in-Webhook-Dispatches
Open

[Feature] : add secure redirects in webhook dispatches#3127
hrshjswniii wants to merge 6 commits into
Priyanshu-byte-coder:mainfrom
hrshjswniii:feature/Redirects-in-Webhook-Dispatches

Conversation

@hrshjswniii

Copy link
Copy Markdown

Summary

This PR enhances the custom webhook dispatch engine to safely traverse HTTP redirects (3xx status codes) up to a limit of 3 hops. It resolves relative location URLs and ensures that SSRF safety checks are performed at each hop's destination before dispatching, preventing delivery failures for webhooks behind URL shorteners or dynamic API gateways.

Closes #3043


Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 💥 Breaking change (fix or feature that changes existing behavior)
  • 📝 Documentation update
  • ♻️ Refactor / code cleanup (no functional change)
  • ⚡ Performance improvement
  • 🔒 Security fix
  • 🧪 Tests only

What Changed

  • Webhook Engine (src/lib/webhooks.ts):
    • Implemented an iterative request loop with a limit of 3 redirect hops inside dispatchWebhook to follow 301, 302, 303, 307, and 308 redirect headers.
    • Used new URL(location, currentUrl) to support resolving relative redirect paths.
    • Enforced isSafeUrl verification on every target redirect location to prevent SSRF vulnerabilities.
  • Redirection Unit Tests (test/webhooks.test.ts):
    • Added test cases verifying successful redirects to valid destinations.
    • Added test cases validating relative paths resolution (e.g. /webhook-final).
    • Added test cases confirming that redirects to private or unsafe IP ranges are blocked on the redirect hop.
    • Added test cases checking that redirect chains exceeding 3 hops terminate gracefully.

How to Test

  1. Ensure dependencies are installed.
  2. Run the test suite on the webhook package to verify the redirect logic:
    node node_modules/vitest/vitest.mjs run test/webhooks.test.ts
  3. Verify that all 64 unit tests pass, highlighting the 4 new redirection tests.

Expected result:
All tests pass successfully.


Checklist

  • Linked the related issue above
  • Self-reviewed my own diff
  • No unnecessary console.log, debug code, or commented-out blocks
  • npm run lint passes locally
  • No TypeScript errors (npm run type-check)
  • Added or updated tests where applicable
  • Updated documentation / comments if behavior changed

Additional Context

  • The redirect limit is securely capped at 3 hops to balance flexibility with webhook execution limits in serverless deployments.
  • No signature configuration changed; standard signatures are generated and signed against the original JSON payload.

@github-actions github-actions Bot added gssoc26 GSSoC 2026 contribution type:feature GSSoC type bonus: new feature type:testing GSSoC type bonus: tests (+10 pts) type:bug GSSoC type bonus: bug fix type:design GSSoC type bonus: UI/design (+10 pts) type:performance GSSoC type bonus: performance (+15 pts) labels Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:design GSSoC type bonus: UI/design (+10 pts) type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) type:testing GSSoC type bonus: tests (+10 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEAT] : Secure Redirects in Webhook Dispatches

1 participant