Elgato_dark/documenso
1
0
Fork 0
mirror of https://github.com/documenso/documenso synced 2026-04-21 21:37:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
documenso/packages/lib/server-only/webhooks/execute-webhook-call.ts
Lucas Smith 6b1b1d0417
fix: improve webhook execution (#2608) 
Webhook URLs were being fetched without validating whether they
resolved to private/loopback addresses, exposing the server to SSRF.

Current SSRF is best effort and fail open, you should never host
services that
you cant risk exposure of.

This extracts webhook execution into a shared module that validates
URLs against private IP ranges (including DNS resolution), enforces
timeouts, and disables redirect following. The resend route now
queues through the job system instead of calling fetch inline.
2026-03-13 15:02:09 +11:00

60 lines
1.4 KiB
TypeScript
Raw Blame History

import type { Prisma } from '@prisma/client';
import { fetchWithTimeout } from '../../utils/timeout';
import { assertNotPrivateUrl } from './assert-webhook-url';
const WEBHOOK_TIMEOUT_MS = 10_000;
export type WebhookCallResult = {
success: boolean;
responseCode: number;
responseBody: Prisma.InputJsonValue | Prisma.JsonNullValueInput;
responseHeaders: Record<string, string>;
};
const parseBody = (text: string): Prisma.InputJsonValue => {
try {
return JSON.parse(text);
} catch {
return text;
}
};
export const executeWebhookCall = async (options: {
url: string;
body: unknown;
secret: string | null;
}): Promise<WebhookCallResult> => {
const { url, body, secret } = options;
try {
await assertNotPrivateUrl(url);
const response = await fetchWithTimeout(url, {
method: 'POST',
body: JSON.stringify(body),
redirect: 'manual',
timeoutMs: WEBHOOK_TIMEOUT_MS,
headers: {
'Content-Type': 'application/json',
'X-Documenso-Secret': secret ?? '',
},
});
const text = await response.text();
return {
success: response.ok,
responseCode: response.status,
responseBody: parseBody(text),
responseHeaders: Object.fromEntries(response.headers.entries()),
};
} catch (err) {
return {
success: false,
responseCode: 0,
responseBody: err instanceof Error ? err.message : 'Unknown error',
responseHeaders: {},
};
}
};
Reference in a new issue View git blame Copy permalink