feat: add ssrf protection (#9)

2026-05-18 06:24:12 +00:00 · 2026-04-23 19:12:01 +02:00
parent f1fd5236f9
commit 71b7458cfc
4 changed files with 349 additions and 0 deletions
@@ -9,6 +9,7 @@ import { processResults } from './processor/index.js';
 import { formatWebhookPayload } from './alert/index.js';
 import { getMonitorStates, writeCheckResults, updateMonitorStates, recordAlert } from './db.js';
 import { interpolateSecrets } from './utils/interpolate.js';
+import { isBlockedURL } from './utils/ssrf.js';
 import type { Env } from './types.js';
 import type { CheckRequest } from './checker/types.js';
 import type { CheckResult } from './processor/types.js';
@@ -257,6 +258,18 @@ async function sendWebhook(
      return false;
    }

+    const blockedReason = isBlockedURL(payload.url);
+    if (blockedReason) {
+      console.error(
+        JSON.stringify({
+          event: 'webhook_ssrf_blocked',
+          alert: alert.alertName,
+          reason: blockedReason,
+        })
+      );
+      return false;
+    }
+
    const response = await fetch(payload.url, {
      method: payload.method,
      headers: payload.headers,