Skip to content

fix(security): prevent TOCTOU DNS rebinding SSRF in webhooks#3173

Closed
nyxsky404 wants to merge 3 commits into
Priyanshu-byte-coder:mainfrom
nyxsky404:fix/dns-rebinding-ssrf
Closed

fix(security): prevent TOCTOU DNS rebinding SSRF in webhooks#3173
nyxsky404 wants to merge 3 commits into
Priyanshu-byte-coder:mainfrom
nyxsky404:fix/dns-rebinding-ssrf

Conversation

@nyxsky404

Copy link
Copy Markdown
Contributor

This PR fixes a critical TOCTOU (Time-of-Check to Time-of-Use) vulnerability in the webhook dispatch system. Previously, isSafeUrl performed a DNS resolution to verify the IP, but fetch subsequently performed a second DNS resolution. This allowed attackers to use DNS rebinding (with a low TTL) to bypass SSRF protections and hit internal networks (e.g. 169.254.169.254 or localhost). The fix updates isSafeUrl to return the explicitly validated IP address, which is then passed directly to fetch while pinning the Host header to the original URL's hostname. Fixes #3169.

@github-actions github-actions Bot added type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) gssoc26 GSSoC 2026 contribution type:security GSSoC type bonus: security (+20 pts) labels Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

@github-actions github-actions Bot added the type:testing GSSoC type bonus: tests (+10 pts) label Jul 8, 2026
@Priyanshu-byte-coder

Copy link
Copy Markdown
Owner

Solid, thorough change and CI is green — but there's a runtime defect the tests don't catch. In dispatchWebhook you set fetchUrl.hostname = ip and then call fetch(). For HTTPS webhooks that breaks TLS: undici connects to the IP, uses the IP as the SNI servername, and validates the server certificate against the IP rather than the original hostname — so real HTTPS deliveries fail with ERR_TLS_CERT_ALTNAME_INVALID. The unit test mocks fetch, so it passes anyway. Correctly pinning the resolved IP while keeping TLS valid needs a raw https.request with servername set to the original hostname (SNI) plus a Host header — which is exactly what #2669 does. Closing in favor of consolidating the TOCTOU fix there. Thanks for the careful work on the call-site refactor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) type:security GSSoC type bonus: security (+20 pts) type:testing GSSoC type bonus: tests (+10 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] TOCTOU DNS Rebinding Vulnerability in Webhook Dispatch

2 participants