Security: Web Push SSRF and IP range bypass
Add SSRF protection for web push endpoints: - Resolve endpoint IP once and pin it for connection - Validate endpoints resolve to public IPs - Whitelist permitted push service hosts Add missing IP ranges to SsrfProtection: - 100.64.0.0/10 (Carrier-grade NAT, RFC6598) - 198.18.0.0/15 (Benchmark testing, RFC2544) Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
This commit is contained in:
@@ -1,13 +1,13 @@
|
||||
class WebPush::Notification
|
||||
def initialize(title:, body:, path:, badge:, endpoint:, p256dh_key:, auth_key:)
|
||||
def initialize(title:, body:, path:, badge:, endpoint:, endpoint_ip:, p256dh_key:, auth_key:)
|
||||
@title, @body, @path, @badge = title, body, path, badge
|
||||
@endpoint, @p256dh_key, @auth_key = endpoint, p256dh_key, auth_key
|
||||
@endpoint, @endpoint_ip, @p256dh_key, @auth_key = endpoint, endpoint_ip, p256dh_key, auth_key
|
||||
end
|
||||
|
||||
def deliver(connection: nil)
|
||||
WebPush.payload_send \
|
||||
message: encoded_message,
|
||||
endpoint: @endpoint, p256dh: @p256dh_key, auth: @auth_key,
|
||||
endpoint: @endpoint, endpoint_ip: @endpoint_ip, p256dh: @p256dh_key, auth: @auth_key,
|
||||
vapid: vapid_identification,
|
||||
connection: connection,
|
||||
urgency: "high"
|
||||
|
||||
Reference in New Issue
Block a user