Logflare / logflare / 6658d9486152f4614e9074597d5a573911d2d819

81%

push

github

fix: SSRF vulnerability in WebhookAdaptor URL validation (#3420)

* Fix SSRF vulnerability in WebhookAdaptor URL validation

* Extract IP-blocking helpers to Logflare.Utils.SSRF, condense tests

* Explicitly block AWS EC2 IMDS IPv6 endpoint (fd00:ec2::254)

* Remove redundant explicit AWS IMDS IPv6 clause, keep coverage in test

* Refactor check_hostname_ssrf into composed private functions

* Fix DNS TOCTOU / rebinding: enforce SSRF check at request time

Adds SSRF.safe_resolve/1 which returns the resolved IP address (not just
:ok), and a new SSRFProtection Tesla middleware that re-checks on every
outbound webhook request. For HTTP URLs the middleware rewrites the URL
to the resolved IP so Finch connects directly without re-resolving DNS,
closing the TOCTOU window entirely. For HTTPS, DNS re-resolution is
checked at request time and TLS certificate validation provides a
secondary defence.

Also simplifies validate_no_ssrf/1 in WebhookAdaptor to delegate to
SSRF.safe_resolve, removing the now-redundant private resolution
functions.

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Brian <brianshan@gmail.com>

33 of 34 new or added lines in 4 files covered. (97.06%)

12685 of 15760 relevant lines covered (80.49%)

3802.91 hits per line