496851b255
Add SSRF protection for web push endpoints: - Resolve endpoint IP once and pin it for connection - Validate endpoints resolve to public IPs - Whitelist permitted push service hosts Add missing IP ranges to SsrfProtection: - 100.64.0.0/10 (Carrier-grade NAT, RFC6598) - 198.18.0.0/15 (Benchmark testing, RFC2544) Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
30 lines
925 B
Ruby
30 lines
925 B
Ruby
class WebPush::Notification
|
|
def initialize(title:, body:, path:, badge:, endpoint:, endpoint_ip:, p256dh_key:, auth_key:)
|
|
@title, @body, @path, @badge = title, body, path, badge
|
|
@endpoint, @endpoint_ip, @p256dh_key, @auth_key = endpoint, endpoint_ip, p256dh_key, auth_key
|
|
end
|
|
|
|
def deliver(connection: nil)
|
|
WebPush.payload_send \
|
|
message: encoded_message,
|
|
endpoint: @endpoint, endpoint_ip: @endpoint_ip, p256dh: @p256dh_key, auth: @auth_key,
|
|
vapid: vapid_identification,
|
|
connection: connection,
|
|
urgency: "high"
|
|
end
|
|
|
|
private
|
|
def vapid_identification
|
|
{ subject: "mailto:support@fizzy.do" }.merge \
|
|
Rails.configuration.x.vapid.symbolize_keys
|
|
end
|
|
|
|
def encoded_message
|
|
JSON.generate title: @title, options: { body: @body, icon: icon_path, data: { path: @path, badge: @badge } }
|
|
end
|
|
|
|
def icon_path
|
|
"/apple-touch-icon.png"
|
|
end
|
|
end
|