feat: webhook callback url security

[lfleischmann]

Descripton

Implement webhook SSRF protections.

Implementation

Multi-Layer Validation

• Config-time validation: Validates webhook URLs during configuration parsing
• Runtime validation: Validates URLs before each webhook delivery with full DNS resolution
• Redirect validation: Validates redirect targets when following HTTP redirects

Security Modes

Different modes are configurable:

public_only

• Only allows callbacks to public, routable IP addresses
• Blocks private networks, loopback, link-local, metadata endpoints

internal_only

• Inverse of public_only, only allows callbacks to internal/non-public IP addresses

custom

• Allowlist-first: explicitly permit private networks via CIDRs, hosts, or domains
• More fine-grained restrictions then possible using blocklists

insecure (recommended for development only)

• Bypasses IP checks (still validates schemes and respects blocklists)

Allow/Block Lists

Host-level control:

• allowed_hosts / blocked_hosts: Exact hostname matching
• allowed_domains / blocked_domains: Domain and subdomain matching
• allowed_cidrs / blocked_cidrs: IP range matching

Redirect control:

• follow_redirects: Enable/disable redirect following (default: false)
• max_redirects: Limit redirect chains
• Each redirect target is validated against security policy

IP Protection/Blocking for public mode

• Private networks (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Loopback addresses: 127.0.0.0/8, ::1
• Link-local: 169.254.0.0/16, fe80::/10
• Common metadata IPs/ranges
• Reserved ranges: TEST-NET, benchmarking ranges, etc.
• Multicast and unspecified addresses

Metadata Endpoint Blocking

• Can be toggle via configuration (deny_metadata_endpoints)

IPv6 Metadata Ranges:

• fe80::/10 - IPv6 link-local (used by cloud providers)
• fc00::/7 - IPv6 Unique Local Addresses
• fd00:ec2::254/128 - Common metadata range used by AWS EC2 metadata (IPv6)

Hostname-based Metadata Protection:

• metadata.google.internal (GCP)
• metadata.goog (GCP alternative)
• 169.254.169.254.nip.io, *.xip.io, *.sslip.io (DNS rebinding bypass attempts)
• metadata, instance-data (generic metadata hostnames)
• 169-254-169-254.ec2.internal (AWS internal format)

Reserved IP Detection

• Comprehensive RFC-documented reserved ranges
• IPv6 support (::/128, 100::/64, 2001:db8::/32)
• Shared-use addresses (100.64.0.0/10 - RFC 6598)

DNS Rebinding Mitigation

Attack Timeline:
1. Validation:  evil.com → 8.8.8.8 (public, passes validation)
2. [TIME GAP - Attacker changes DNS]
3. HTTP Request: evil.com → 10.0.0.5 (internal, EXPLOITED!)

IP Pinning with Custom Dialer

1. Validation Phase: Resolve DNS and validate ALL returned IPs
2. Capture IPs: Store validated IPs in ValidationResult
3. Custom Transport: Create http.Transport with ValidatedDialer
4. Pinned Connections: HTTP client connects ONLY to pre-validated IPs
5. No Re-resolution: Completely bypasses DNS lookup during HTTP request
6. Redirect Protection: Redirects are also validated and pinned

Other implementation notes

Avoid Circular Dependencies:

• Created validation.SecurityPolicy type (mirrors config.WebhookSecurity)
• Added WebhookSecurity.ToSecurityPolicy() converter

Configurable error sanitization

• Configuration option sanitize_errors
• Prevent potential exposure of info on IP structures
• Still log detailed errors internally