mirror of
https://github.com/open-webui/open-webui.git
synced 2026-06-13 19:20:05 +00:00
Classic298
02b2a391e9
* fix: block private-IP webhook URLs to close SSRF on caller-controlled URL post_webhook(url, ...) in utils/webhook.py forwards the URL straight to aiohttp.ClientSession.post with no SSRF gate. The URL is caller-controlled on two surfaces: - User notification settings under ENABLE_USER_WEBHOOKS=true — any authenticated user can set the URL their notifications POST to. - Automation notification triggers (calendar alerts, etc.). Without a gate, the URL can target cloud metadata (169.254.169.254 / fd00:ec2::254), localhost-bound services, RFC1918 internal hosts, or any other private address reachable from the server process. Blind SSRF — no response body returned to the caller — but enough to enumerate internal services via response timing / status codes, and on cloud deployments enough to issue requests against IMDSv1 if available. Call validate_url() at the top of post_webhook. The function blocks private/reserved IPs when ENABLE_RAG_LOCAL_WEB_FETCH is False (the default), is the project's chosen SSRF gate, and is already applied to the equivalent fetch surfaces (retrieval, image-load, OAuth profile picture). Operators who legitimately need to webhook to private IPs (internal monitoring, self-hosted Slack alternatives, etc.) can set ENABLE_RAG_LOCAL_WEB_FETCH=True — same opt-out as the other gated surfaces. Scope intentionally limited to webhooks. The OAuth discovery and external reranker paths cwanglab also flagged are admin-configured with intentional private-IP defaults (reranker defaults to http://localhost:8080/v1/rerank) and are out of scope per Rule 9 — the admin owns the URL choice and the operator opt-out exists for them too. Reported by cwanglab in GHSA-5x9f-85cg-w3hf (cluster canonical with six closed siblings: g36v-23gj-j69x, 6j8f-h58v-xgmw, xpwv-52pm-p8hj, v9gp-hv2c-9qv8, fw7w-jrw7-p3v9, x7xq-74rg-m8mf). Co-authored-by: cwanglab <cwanglab@users.noreply.github.com> * fix: also pass allow_redirects=False on webhook post_webhook session.post Companion to the previous commit. validate_url() only validates the initial URL; aiohttp's default allow_redirects=True would still follow a 302 to a private-IP target. Same redirect-bypass class as the rh5x cluster's five call sites, sixth call site to receive the same gate. Co-authored-by: cwanglab <cwanglab@users.noreply.github.com> --------- Co-authored-by: cwanglab <cwanglab@users.noreply.github.com>