Only allow webhook to send requests to allowed hosts (#17482)

1 files changed, 11 insertions, 8 deletions

diff --git a/modules/setting/webhook.go b/modules/setting/webhook.go
index 8ef54f5cbe..acd5bd0455 100644
--- a/modules/setting/webhook.go
+++ b/modules/setting/webhook.go
@@ -7,20 +7,22 @@ package setting
 import (
 	"net/url"
 
+	"code.gitea.io/gitea/modules/hostmatcher"
 	"code.gitea.io/gitea/modules/log"
 )
 
 var (
 	// Webhook settings
 	Webhook = struct {
-		QueueLength    int
-		DeliverTimeout int
-		SkipTLSVerify  bool
-		Types          []string
-		PagingNum      int
-		ProxyURL       string
-		ProxyURLFixed  *url.URL
-		ProxyHosts     []string
+		QueueLength     int
+		DeliverTimeout  int
+		SkipTLSVerify   bool
+		AllowedHostList *hostmatcher.HostMatchList
+		Types           []string
+		PagingNum       int
+		ProxyURL        string
+		ProxyURLFixed   *url.URL
+		ProxyHosts      []string
 	}{
 		QueueLength:    1000,
 		DeliverTimeout: 5,
@@ -36,6 +38,7 @@ func newWebhookService() {
 	Webhook.QueueLength = sec.Key("QUEUE_LENGTH").MustInt(1000)
 	Webhook.DeliverTimeout = sec.Key("DELIVER_TIMEOUT").MustInt(5)
 	Webhook.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool()
+	Webhook.AllowedHostList = hostmatcher.ParseHostMatchList(sec.Key("ALLOWED_HOST_LIST").MustString(hostmatcher.MatchBuiltinExternal))
 	Webhook.Types = []string{"gitea", "gogs", "slack", "discord", "dingtalk", "telegram", "msteams", "feishu", "matrix", "wechatwork"}
 	Webhook.PagingNum = sec.Key("PAGING_NUM").MustInt(10)
 	Webhook.ProxyURL = sec.Key("PROXY_URL").MustString("")