fix(security): prevent TOCTOU DNS rebinding SSRF in webhooks#3173
fix(security): prevent TOCTOU DNS rebinding SSRF in webhooks#3173nyxsky404 wants to merge 3 commits into
Conversation
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
|
Solid, thorough change and CI is green — but there's a runtime defect the tests don't catch. In |
This PR fixes a critical TOCTOU (Time-of-Check to Time-of-Use) vulnerability in the webhook dispatch system. Previously,
isSafeUrlperformed a DNS resolution to verify the IP, butfetchsubsequently performed a second DNS resolution. This allowed attackers to use DNS rebinding (with a low TTL) to bypass SSRF protections and hit internal networks (e.g. 169.254.169.254 or localhost). The fix updatesisSafeUrlto return the explicitly validated IP address, which is then passed directly tofetchwhile pinning theHostheader to the original URL's hostname. Fixes #3169.