search

JanssenProject / jans

An open source enterprise digital identity platform for CIAM or workforce... Janssen is a distribution of standards-based, developer friendly, components that are engineered to work together in any cloud. #OAuth #OpenID #FIDO
https://docs.jans.io
Apache License 2.0
460 stars 73 forks source link

feat(config-api): Blacklist some urls from webhook for security reason #8574

Open syntrydy opened 4 months ago

syntrydy commented 4 months ago

Description

Currently there is no security in webhook feature. The following should be check:

  1. Perform URL validation(url should be valid url and resolvable).
  2. Ensure URL starts with "https://", disallow "file://" and other non-HTTPS schemes.
  3. Block typical local IPs: 127.0.x, 192.168.x, 172.x.
  4. Prohibit "localhost" and "http://"
  5. Require a specific response header for POST requests, unique to the customer.
433B commented 1 week ago

Hello! I'm interested in this topic, could I have it for myself? I have experience in this area

nynymike commented 1 week ago

Sure... why not. I don't think it's a super high priority at Jans. @syntrydy could you explain what you mean by Require a specific response header for POST requests, unique to the customer. Did you have a header in mind?

syntrydy commented 6 days ago

@nynymike

Before the source app sends an HTTP request via the webhook, it hashes the payload (request body) with HMAC using the secret key. The resulting hash is then bundled into the HTTP request as a header, and the entire request (header and body) is sent to the webhook endpoint.

Upon receiving the HTTP request, the destination app hashes the body with the secret key and then compares the result to the hash provided in the header. If the values match, the destination app knows the data is legit and processes it. If the values do not match, the destination app rejects the data and executes whatever code was written for that scenario — perhaps creating a log entry or sending a notification.