bug 65729

ONLYOFFICE · Jan 10, 2024 · 9d38560 · 9d38560
1 parent 6d1341b
commit 9d38560
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/common/ASC.Webhooks.Core/DbWorker.cs b/common/ASC.Webhooks.Core/DbWorker.cs
@@ -24,8 +24,13 @@
 // content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
 // International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
 
+using System.Net.NetworkInformation;
+using System.Security;
+
 using AutoMapper;
 
+using Microsoft.Extensions.Configuration;
+
 namespace ASC.Webhooks.Core;
 
 [Scope]
@@ -42,6 +47,7 @@ public class DbWorker
     private readonly TenantManager _tenantManager;
     private readonly AuthContext _authContext;
     private readonly IMapper _mapper;
+    private readonly IConfiguration _configuration;
 
     private int Tenant
     {
@@ -55,12 +61,14 @@ public DbWorker(
         IDbContextFactory<WebhooksDbContext> dbContextFactory,
         TenantManager tenantManager,
         AuthContext authContext,
-        IMapper mapper)
+        IMapper mapper,
+        IConfiguration configuration)
     {
         _dbContextFactory = dbContextFactory;
         _tenantManager = tenantManager;
         _authContext = authContext;
         _mapper = mapper;
+        _configuration = configuration;
     }
 
     public async Task<WebhooksConfig> AddWebhookConfig(string uri, string name, string secretKey, bool? enabled, bool? ssl)
@@ -74,6 +82,26 @@ public async Task<WebhooksConfig> AddWebhookConfig(string uri, string name, stri
             return objForCreate;
         }
 
+        try
+        {
+            if (Uri.TryCreate(uri, UriKind.Absolute, out var parsedUri) && NetworkInterface.GetIsNetworkAvailable())
+            {
+                foreach (var netInterface in NetworkInterface.GetAllNetworkInterfaces())
+                {
+                    var ipProps = netInterface.GetIPProperties();
+
+                    if (ipProps.UnicastAddresses.Any(addr => addr.Address.ToString() == parsedUri.Host))
+                    {
+                        throw new SecurityException();
+                    }
+                }
+            }
+        }
+        catch (Exception)
+        {
+            // ignored
+        }
+
         var toAdd = new WebhooksConfig
         {
             TenantId = Tenant,

diff --git a/web/ASC.Web.Api/ApiModels/RequestsDto/WebhooksConfigRequestsDto.cs b/web/ASC.Web.Api/ApiModels/RequestsDto/WebhooksConfigRequestsDto.cs
@@ -24,6 +24,8 @@
 // content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
 // International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
 
+using System.ComponentModel.DataAnnotations;
+
 namespace ASC.Web.Api.ApiModels.RequestsDto;
 
 /// <summary>
@@ -40,6 +42,7 @@ public class WebhooksConfigRequestsDto
 
     /// <summary>URI</summary>
     /// <type>System.String, System</type>
+    [Url]
     public string Uri { get; set; }
 
     /// <summary>Secret key</summary>