Module: Webhooks::Outgoing::UriFiltering

Extended by:
ActiveSupport::Concern
Included in:
DeliveryAttemptSupport, EndpointSupport
Defined in:
app/models/concerns/webhooks/outgoing/uri_filtering.rb

Defined Under Namespace

Classes: AllowedUriValidator

Instance Method Summary collapse

Instance Method Details

#_allowed_uri?(uri) ⇒ Boolean

Returns:

  • (Boolean)


102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# File 'app/models/concerns/webhooks/outgoing/uri_filtering.rb', line 102

def _allowed_uri?(uri)
  return true unless uri.present?

  config = Rails.configuration.outgoing_webhooks
  hostname = uri.hostname.downcase

  return false unless config[:allowed_schemes].include?(uri.scheme)

  config[:blocked_hostnames].each do |blocked|
    if blocked.is_a?(Regexp)
      return false if blocked.match?(hostname)
    end

    return false if blocked == hostname
  end

  config[:allowed_hostnames].each do |allowed|
    if allowed.is_a?(Regexp)
      return true if allowed.match?(hostname)
    end

    return true if allowed == hostname
  end

  if config[:custom_allow_callback].present?
    return true if config[:custom_allow_callback].call(self, uri)
  end

  if config[:custom_block_callback].present?
    return false if config[:custom_block_callback].call(self, uri)
  end

  resolved_ip = resolve_ip_from_authoritative(hostname)
  return false if resolved_ip.nil?

  begin
    config[:allowed_cidrs].each do |cidr|
      return true if IPAddr.new(cidr).include?(resolved_ip)
    end

    config[:blocked_cidrs].each do |cidr|
      return false if IPAddr.new(cidr).include?(resolved_ip)
    end
  rescue IPAddr::InvalidAddressError
    return false
  end

  true
end

#allowed_uri?(uri) ⇒ Boolean

Returns:

  • (Boolean)


90
91
92
93
94
95
96
97
98
99
100
# File 'app/models/concerns/webhooks/outgoing/uri_filtering.rb', line 90

def allowed_uri?(uri)
  unless _allowed_uri?(uri)
    config = Rails.configuration.outgoing_webhooks
    if config[:audit_callback].present?
      config[:audit_callback].call(self, uri)
    end
    return false
  end

  true
end

#resolve_ip_from_authoritative(hostname) ⇒ Object



49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# File 'app/models/concerns/webhooks/outgoing/uri_filtering.rb', line 49

def resolve_ip_from_authoritative(hostname)
  begin
    ip = IPAddr.new(hostname)
    return ip.to_s
  rescue IPAddr::InvalidAddressError
    # this is fine, proceed with resolver path
  end

  cache_key = "#{cache_key_with_version}/uri_ip/#{Digest::SHA2.hexdigest(hostname)}"

  cached = Rails.cache.read(cache_key)
  if cached
    return (cached == "invalid") ? nil : cached
  end

  begin
    # This is sort of a half-recursive DNS resolver.
    # We can't implement a full recursive resolver using just Resolv::DNS so instead
    # this asks a public cache for the NS record for the given domain. Then it asks
    # the authoritative nameserver directly for the address and caches it according
    # to the returned TTL.

    config = Rails.configuration.outgoing_webhooks
    ns_resolver = Resolv::DNS.new(nameserver: config[:public_resolvers])
    ns_resolver.timeouts = 1

    domain = PublicSuffix.domain(hostname)
    authoritative = ns_resolver.getresource(domain, Resolv::DNS::Resource::IN::NS)

    authoritative_resolver = Resolv::DNS.new(nameserver: [authoritative.name.to_s])
    authoritative_resolver.timeouts = 1

    resource = authoritative_resolver.getresource(hostname, Resolv::DNS::Resource::IN::A)
    Rails.cache.write(cache_key, resource.address.to_s, expires_in: resource.ttl, race_condition_ttl: 5)
    resource.address.to_s
  rescue ArgumentError
    Rails.cache.write(cache_key, "invalid", expires_in: 10.minutes, race_condition_ttl: 5)
    nil
  end
end