mirror of
https://github.com/open-webui/open-webui.git
synced 2026-06-13 19:20:05 +00:00
Classic298
02b2a391e9
* fix: block private-IP webhook URLs to close SSRF on caller-controlled URL post_webhook(url, ...) in utils/webhook.py forwards the URL straight to aiohttp.ClientSession.post with no SSRF gate. The URL is caller-controlled on two surfaces: - User notification settings under ENABLE_USER_WEBHOOKS=true — any authenticated user can set the URL their notifications POST to. - Automation notification triggers (calendar alerts, etc.). Without a gate, the URL can target cloud metadata (169.254.169.254 / fd00:ec2::254), localhost-bound services, RFC1918 internal hosts, or any other private address reachable from the server process. Blind SSRF — no response body returned to the caller — but enough to enumerate internal services via response timing / status codes, and on cloud deployments enough to issue requests against IMDSv1 if available. Call validate_url() at the top of post_webhook. The function blocks private/reserved IPs when ENABLE_RAG_LOCAL_WEB_FETCH is False (the default), is the project's chosen SSRF gate, and is already applied to the equivalent fetch surfaces (retrieval, image-load, OAuth profile picture). Operators who legitimately need to webhook to private IPs (internal monitoring, self-hosted Slack alternatives, etc.) can set ENABLE_RAG_LOCAL_WEB_FETCH=True — same opt-out as the other gated surfaces. Scope intentionally limited to webhooks. The OAuth discovery and external reranker paths cwanglab also flagged are admin-configured with intentional private-IP defaults (reranker defaults to http://localhost:8080/v1/rerank) and are out of scope per Rule 9 — the admin owns the URL choice and the operator opt-out exists for them too. Reported by cwanglab in GHSA-5x9f-85cg-w3hf (cluster canonical with six closed siblings: g36v-23gj-j69x, 6j8f-h58v-xgmw, xpwv-52pm-p8hj, v9gp-hv2c-9qv8, fw7w-jrw7-p3v9, x7xq-74rg-m8mf). Co-authored-by: cwanglab <cwanglab@users.noreply.github.com> * fix: also pass allow_redirects=False on webhook post_webhook session.post Companion to the previous commit. validate_url() only validates the initial URL; aiohttp's default allow_redirects=True would still follow a 302 to a private-IP target. Same redirect-bypass class as the rh5x cluster's five call sites, sixth call site to receive the same gate. Co-authored-by: cwanglab <cwanglab@users.noreply.github.com> --------- Co-authored-by: cwanglab <cwanglab@users.noreply.github.com>
80 lines
2.9 KiB
Python
80 lines
2.9 KiB
Python
import json
|
|
import logging
|
|
|
|
import aiohttp
|
|
from open_webui.config import WEBUI_FAVICON_URL
|
|
from open_webui.env import (
|
|
AIOHTTP_CLIENT_ALLOW_REDIRECTS,
|
|
AIOHTTP_CLIENT_SESSION_SSL,
|
|
AIOHTTP_CLIENT_TIMEOUT,
|
|
VERSION,
|
|
)
|
|
from open_webui.retrieval.web.utils import validate_url
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
|
# Let this message reach those for whom it was written, and
|
|
# may no network partition deny the word its destination.
|
|
async def post_webhook(name: str, url: str, message: str, event_data: dict) -> bool:
|
|
try:
|
|
log.debug(f'post_webhook: {url}, {message}, {event_data}')
|
|
# Block private-IP / loopback / cloud-metadata targets — the URL is
|
|
# caller-controlled (user notification settings under
|
|
# ENABLE_USER_WEBHOOKS, automation notification triggers).
|
|
validate_url(url)
|
|
payload = {}
|
|
|
|
# Slack and Google Chat Webhooks
|
|
if 'https://hooks.slack.com' in url or 'https://chat.googleapis.com' in url:
|
|
payload['text'] = message
|
|
# Discord Webhooks
|
|
elif 'https://discord.com/api/webhooks' in url:
|
|
payload['content'] = message if len(message) < 2000 else f'{message[: 2000 - 20]}... (truncated)'
|
|
# Microsoft Teams Webhooks
|
|
elif 'webhook.office.com' in url:
|
|
action = event_data.get('action', 'undefined')
|
|
user_data = event_data.get('user', '{}')
|
|
if isinstance(user_data, dict):
|
|
user_dict = user_data
|
|
else:
|
|
user_dict = json.loads(user_data)
|
|
facts = [{'name': name, 'value': value} for name, value in user_dict.items()]
|
|
payload = {
|
|
'@type': 'MessageCard',
|
|
'@context': 'http://schema.org/extensions',
|
|
'themeColor': '0076D7',
|
|
'summary': message,
|
|
'sections': [
|
|
{
|
|
'activityTitle': message,
|
|
'activitySubtitle': f'{name} ({VERSION}) - {action}',
|
|
'activityImage': WEBUI_FAVICON_URL,
|
|
'facts': facts,
|
|
'markdown': True,
|
|
}
|
|
],
|
|
}
|
|
# Default Payload
|
|
else:
|
|
payload = {**event_data}
|
|
|
|
log.debug(f'payload: {payload}')
|
|
async with aiohttp.ClientSession(
|
|
trust_env=True, timeout=aiohttp.ClientTimeout(total=AIOHTTP_CLIENT_TIMEOUT)
|
|
) as session:
|
|
async with session.post(
|
|
url,
|
|
json=payload,
|
|
ssl=AIOHTTP_CLIENT_SESSION_SSL,
|
|
allow_redirects=AIOHTTP_CLIENT_ALLOW_REDIRECTS,
|
|
) as r:
|
|
r_text = await r.text()
|
|
r.raise_for_status()
|
|
log.debug(f'r.text: {r_text}')
|
|
|
|
return True
|
|
except Exception as e:
|
|
log.exception(e)
|
|
return False
|