Webhook payload URL doesn't accept internal IP based value

Hi,

I have recently upgraded my discouse instance to Discourse/2.9.0.beta14 latest version from Discourse/2.9.0.beta3.
The discourse webhook event has stopped working now.

This is the configuration
payload URL: http://server-name:port/rest : This is the internal rest api service that we have defined.

When I try to save this value, it gives the following error:
“An error occurred: Payload URL cannot be used because it resolves to a blocked or internal IP”

The same value for payload URL: http://server-name:port/rest used to work fine in the
Discourse/2.9.0.beta3 discourse version.
Is there something that has been updated in the latest version of discourse, or is this a bug?

Please could you let me know. Thanking in advance.

This doesn’t sound right. The payload URL for webhooks may indeed be an internal resource if Discourse is self hosted. Not sure why you would want to stop being able to configure URLS or addresses that resolve internally for processing web hooks. There has been a change it seems to prevent invalid/bad website URLs on user profiles. Has that change crept into the validation for the webhook payload URL ?

Because it can also be a security issue where a Discourse admin could use webhooks to discover or attack internal resources on a network which is not theirs?

1 Like

Yeah, moved this to #feature, this can be used to fish information about an internal network. There are some knobs to tune the behavior on a specific instance.

1 Like