Add bypass host validation specifically for internal webhook URL (#2195)

Fixes OPS-4071

Author: MarceloRGonc

packages/blocks/http/src/lib/actions/send-http-request-action.ts

@@ -10,7 +10,7 @@ import {
   DynamicPropsValue,
   Property,
 } from '@openops/blocks-framework';
-import { validateHost } from '@openops/server-shared';
+import { validateHostAllowingPublicWebhookUrl } from '@openops/server-shared';
 import { assertNotNullOrUndefined } from '@openops/shared';
 import axios from 'axios';
 import FormData from 'form-data';
@@ -170,8 +170,10 @@ export const httpSendRequestAction = createAction({
     assertNotNullOrUndefined(method, 'Method');
     assertNotNullOrUndefined(url, 'URL');
 
-    await validateHost(url);
-    await validateHost(context.propsValue.proxy_settings?.proxy_host);
+    await validateHostAllowingPublicWebhookUrl(url);
+    await validateHostAllowingPublicWebhookUrl(
+      context.propsValue.proxy_settings?.proxy_host,
+    );
 
     const headersArray =
       (context.auth?.headers as

packages/server/shared/src/lib/host-validation/index.ts

@@ -1,6 +1,7 @@
 import { promises as dns } from 'dns';
 import ipRangeCheck from 'ip-range-check';
 import { isIPv4, isIPv6 } from 'net';
+import { networkUtls } from '../network-utils';
 import { SharedSystemProp, system } from '../system';
 
 const internalV4Cidrs = [
@@ -63,3 +64,27 @@ export async function validateHost(host: string | undefined): Promise<void> {
   const isPrivate = await isInternalHost(host);
   if (isPrivate) throw new Error('Host must not be an internal address');
 }
+
+export async function validateHostAllowingPublicWebhookUrl(
+  url: string | undefined,
+): Promise<void> {
+  if (!url) {
+    return;
+  }
+
+  try {
+    await validateHost(url);
+  } catch (error) {
+    const publicUrl = await networkUtls.getPublicUrl();
+
+    const escapedBase = publicUrl.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+
+    const regex = new RegExp(
+      `^${escapedBase}v1/webhooks/[0-9a-zA-Z]{21}/sync$`,
+    );
+
+    if (!regex.test(url)) {
+      throw error;
+    }
+  }
+}

packages/server/shared/test/host-validation/index.test.ts

@@ -1,14 +1,28 @@
 const resolve4 = jest.fn();
 const resolve6 = jest.fn();
 const getBoolean = jest.fn().mockReturnValue(true);
+const getPublicUrl = jest.fn();
 
 jest.mock('dns', () => ({ promises: { resolve4, resolve6 } }));
 jest.mock('../../src/lib/system', () => ({
-  system: { getBoolean },
-  SharedSystemProp: { ENABLE_HOST_VALIDATION: 'ENABLE_HOST_VALIDATION' },
+  system: {
+    getBoolean,
+    getOrThrow: jest.fn().mockReturnValue('x-forwarded-for'),
+  },
+  SharedSystemProp: {
+    ENABLE_HOST_VALIDATION: 'ENABLE_HOST_VALIDATION',
+    FRONTEND_URL: 'FRONTEND_URL',
+  },
+  AppSystemProp: { CLIENT_REAL_IP_HEADER: 'CLIENT_REAL_IP_HEADER' },
+}));
+jest.mock('../../src/lib/network-utils', () => ({
+  networkUtls: { getPublicUrl },
 }));
 
-import { validateHost } from '../../src/lib/host-validation';
+import {
+  validateHost,
+  validateHostAllowingPublicWebhookUrl,
+} from '../../src/lib/host-validation';
 
 describe('Host Validation', () => {
   beforeEach(() => {
@@ -114,4 +128,76 @@ describe('Host Validation', () => {
       'Host must not be an internal address',
     );
   });
+
+  describe('validateHostAllowingPublicWebhookUrl', () => {
+    test('should skip for empty url', async () => {
+      const url = '';
+      await expect(
+        validateHostAllowingPublicWebhookUrl(url),
+      ).resolves.toBeUndefined();
+    });
+
+    test('should allow public webhook url even if it resolves to private ip', async () => {
+      const publicUrl = 'https://openops.example.com/';
+      const webhookUrl =
+        'https://openops.example.com/v1/webhooks/123456789012345678901/sync';
+      getPublicUrl.mockResolvedValue(publicUrl);
+      resolve4.mockResolvedValue(['127.0.0.1']);
+      resolve6.mockResolvedValue([]);
+
+      await expect(
+        validateHostAllowingPublicWebhookUrl(webhookUrl),
+      ).resolves.toBeUndefined();
+    });
+
+    test('should throw for internal host that is not the public webhook url', async () => {
+      const publicUrl = 'https://openops.example.com/';
+      const internalUrl =
+        'https://10.0.0.1/v1/webhooks/123456789012345678901/sync';
+      getPublicUrl.mockResolvedValue(publicUrl);
+      resolve4.mockResolvedValue(['10.0.0.1']);
+      resolve6.mockResolvedValue([]);
+
+      await expect(
+        validateHostAllowingPublicWebhookUrl(internalUrl),
+      ).rejects.toThrow('Host must not be an internal address');
+    });
+
+    test('should throw for public webhook url with invalid id length', async () => {
+      const publicUrl = 'https://openops.example.com/';
+      const webhookUrl =
+        'https://openops.example.com/v1/webhooks/too-short/sync';
+      getPublicUrl.mockResolvedValue(publicUrl);
+      resolve4.mockResolvedValue(['127.0.0.1']);
+      resolve6.mockResolvedValue([]);
+
+      await expect(
+        validateHostAllowingPublicWebhookUrl(webhookUrl),
+      ).rejects.toThrow('Host must not be an internal address');
+    });
+
+    test('should allow public host', async () => {
+      const publicUrl = 'https://openops.example.com/';
+      const somePublicUrl = 'https://google.com';
+      getPublicUrl.mockResolvedValue(publicUrl);
+      resolve4.mockResolvedValue(['8.8.8.8']);
+      resolve6.mockResolvedValue([]);
+
+      await expect(
+        validateHostAllowingPublicWebhookUrl(somePublicUrl),
+      ).resolves.toBeUndefined();
+    });
+
+    test('should throw error for DNS resolution failure on non-webhook URL', async () => {
+      const publicUrl = 'https://openops.example.com/';
+      const unknownUrl = 'https://unknown.example.com';
+      getPublicUrl.mockResolvedValue(publicUrl);
+      resolve4.mockRejectedValue(new Error('DNS resolution failed'));
+      resolve6.mockRejectedValue(new Error('DNS resolution failed'));
+
+      await expect(
+        validateHostAllowingPublicWebhookUrl(unknownUrl),
+      ).rejects.toThrow('Failed to resolve host');
+    });
+  });
 });