From 02b2a391e9d7c989f9a8926b6512d346fcd43ae2 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 1 Jun 2026 23:15:51 +0200 Subject: [PATCH] fix: block private-IP webhook URLs to close SSRF on caller-controlled URL (#24587) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: block private-IP webhook URLs to close SSRF on caller-controlled URL post_webhook(url, ...) in utils/webhook.py forwards the URL straight to aiohttp.ClientSession.post with no SSRF gate. The URL is caller-controlled on two surfaces: - User notification settings under ENABLE_USER_WEBHOOKS=true — any authenticated user can set the URL their notifications POST to. - Automation notification triggers (calendar alerts, etc.). Without a gate, the URL can target cloud metadata (169.254.169.254 / fd00:ec2::254), localhost-bound services, RFC1918 internal hosts, or any other private address reachable from the server process. Blind SSRF — no response body returned to the caller — but enough to enumerate internal services via response timing / status codes, and on cloud deployments enough to issue requests against IMDSv1 if available. Call validate_url() at the top of post_webhook. The function blocks private/reserved IPs when ENABLE_RAG_LOCAL_WEB_FETCH is False (the default), is the project's chosen SSRF gate, and is already applied to the equivalent fetch surfaces (retrieval, image-load, OAuth profile picture). Operators who legitimately need to webhook to private IPs (internal monitoring, self-hosted Slack alternatives, etc.) can set ENABLE_RAG_LOCAL_WEB_FETCH=True — same opt-out as the other gated surfaces. Scope intentionally limited to webhooks. The OAuth discovery and external reranker paths cwanglab also flagged are admin-configured with intentional private-IP defaults (reranker defaults to http://localhost:8080/v1/rerank) and are out of scope per Rule 9 — the admin owns the URL choice and the operator opt-out exists for them too. Reported by cwanglab in GHSA-5x9f-85cg-w3hf (cluster canonical with six closed siblings: g36v-23gj-j69x, 6j8f-h58v-xgmw, xpwv-52pm-p8hj, v9gp-hv2c-9qv8, fw7w-jrw7-p3v9, x7xq-74rg-m8mf). Co-authored-by: cwanglab * fix: also pass allow_redirects=False on webhook post_webhook session.post Companion to the previous commit. validate_url() only validates the initial URL; aiohttp's default allow_redirects=True would still follow a 302 to a private-IP target. Same redirect-bypass class as the rh5x cluster's five call sites, sixth call site to receive the same gate. Co-authored-by: cwanglab --------- Co-authored-by: cwanglab --- backend/open_webui/utils/webhook.py | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/backend/open_webui/utils/webhook.py b/backend/open_webui/utils/webhook.py index 616d2611aa..8a65f348a8 100644 --- a/backend/open_webui/utils/webhook.py +++ b/backend/open_webui/utils/webhook.py @@ -3,7 +3,13 @@ import logging import aiohttp from open_webui.config import WEBUI_FAVICON_URL -from open_webui.env import AIOHTTP_CLIENT_SESSION_SSL, AIOHTTP_CLIENT_TIMEOUT, VERSION +from open_webui.env import ( + AIOHTTP_CLIENT_ALLOW_REDIRECTS, + AIOHTTP_CLIENT_SESSION_SSL, + AIOHTTP_CLIENT_TIMEOUT, + VERSION, +) +from open_webui.retrieval.web.utils import validate_url log = logging.getLogger(__name__) @@ -13,6 +19,10 @@ log = logging.getLogger(__name__) async def post_webhook(name: str, url: str, message: str, event_data: dict) -> bool: try: log.debug(f'post_webhook: {url}, {message}, {event_data}') + # Block private-IP / loopback / cloud-metadata targets — the URL is + # caller-controlled (user notification settings under + # ENABLE_USER_WEBHOOKS, automation notification triggers). + validate_url(url) payload = {} # Slack and Google Chat Webhooks @@ -53,7 +63,12 @@ async def post_webhook(name: str, url: str, message: str, event_data: dict) -> b async with aiohttp.ClientSession( trust_env=True, timeout=aiohttp.ClientTimeout(total=AIOHTTP_CLIENT_TIMEOUT) ) as session: - async with session.post(url, json=payload, ssl=AIOHTTP_CLIENT_SESSION_SSL) as r: + async with session.post( + url, + json=payload, + ssl=AIOHTTP_CLIENT_SESSION_SSL, + allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS, + ) as r: r_text = await r.text() r.raise_for_status() log.debug(f'r.text: {r_text}')