Webhook SSRF DNS Rebinding Not Fully Mitigated

[chintakjoshi]

Webhook SSRF DNS Rebinding Not Fully Mitigated

File: webhook_service.py:161-205

The DNS resolution happens at registration time and again at delivery time (_resolve_target), which is good. However, between resolution and the actual HTTP request (httpx.post), DNS could rebind to an internal IP. The host=connect_host substitution partially mitigates this, but httpx may still perform its own DNS resolution depending on transport configuration. Consider pinning via httpx.AsyncClient(transport=...) with explicit address binding.

[chintakjoshi]

The key reason is that the delivery path already pins the outbound socket to the resolved IP, not to the original hostname. In webhook_service.py (line 160), _build_resolved_webhook_target() resolves the hostname and then rewrites the request target to url=str(parsed_url.copy_with(host=connect_host)) at webhook_service.py (line 201). Then webhook_service.py (line 219) sends the original authority only as the Host header and webhook_service.py (line 225) passes it as TLS SNI, while the actual client.post(...) call at webhook_service.py (line 230) targets the IP-literal URL.