add validate webhhook address

Signed-off-by: lengrongfu <[email protected]>
goharbor · Jul 25, 2023 · e6495ea · e6495ea
1 parent 320c0d6
commit e6495ea
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/src/server/v2.0/handler/webhook.go b/src/server/v2.0/handler/webhook.go
@@ -17,7 +17,9 @@ package handler
 import (
 	"context"
 	"fmt"
+	"net"
 	"strings"
+	"time"
 
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/go-openapi/strfmt"
@@ -414,6 +416,10 @@ func (n *webhookAPI) validateTargets(policy *policy_model.Policy) (bool, error)
 		// Prevent SSRF security issue #3755
 		target.Address = url.Scheme + "://" + url.Host + url.Path
 
+		if err := validateAddress(target.Address); err != nil {
+			return false, errors.New(err).WithCode(errors.BadRequestCode)
+		}
+
 		if !isNotifyTypeSupported(target.Type) {
 			return false, errors.New(nil).WithMessage("unsupported target type %s with policy %s", target.Type, policy.Name).WithCode(errors.BadRequestCode)
 		}
@@ -475,6 +481,18 @@ func (n *webhookAPI) constructPolicyWithTriggerTime(ctx context.Context, policie
 	return res, nil
 }
 
+// validateAddress validate the address is connectable
+func validateAddress(address string) error {
+	url, _ := utils.ParseEndpoint(address)
+
+	conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%s", url.Hostname(), url.Port()), time.Second*10)
+	if err != nil {
+		return errors.New(err).WithCode(errors.BadRequestCode)
+	}
+	defer conn.Close()
+	return nil
+}
+
 func isEventTypeSupported(eventType string) bool {
 	for _, t := range notification.GetSupportedEventTypes() {
 		if t.String() == eventType {

diff --git a/src/server/v2.0/handler/webhook_test.go b/src/server/v2.0/handler/webhook_test.go
@@ -17,6 +17,8 @@ package handler
 import (
 	"fmt"
 	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 	"time"
 
@@ -232,6 +234,22 @@ func (suite *WebhookTestSuite) TestGetSupportedEventTypes() {
 	suite.Len(body.NotifyType, len(notification.GetSupportedNotifyTypes()))
 }
 
+func (suite *WebhookTestSuite) Test_validateAddress() {
+	err := validateAddress("http://123:8080")
+	suite.Error(err)
+
+	err = validateAddress("https://1.2.3.4")
+	suite.Error(err)
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "Hello, World!")
+	})
+	server := httptest.NewServer(handler)
+	defer server.Close()
+	err = validateAddress(server.URL)
+	suite.NoError(err)
+}
+
 func TestWebhookTestSuite(t *testing.T) {
 	suite.Run(t, &WebhookTestSuite{})
 }