(core) support a wildcard option for ALLOWED_WEBHOOK_DOMAINS

Summary: Now that webhook payload delivery can be done using a proxy, it may be desirable to no longer require a set of `ALLOWED_WEBHOOK_DOMAINS`. This diff allows this variable to be set to `*`. With this setting, any domain, and both `http` and `https` protocols will now be accepted. Another possibility would be to default to unchecked behavior if `ALLOWED_WEBHOOK_DOMAINS` is not set. But this would introduce a new kind of vulnerability to unconfigured Grist installations. Test Plan: switched a test from naming a domain to using `*` Reviewers: jarek Reviewed By: jarek Differential Revision: https://phab.getgrist.com/D3903
2026-03-02 04:09:24 +00:00 · 2023-05-23 12:51:58 -04:00
parent 4cc19ff748
commit 3f3a0d3aa1
5 changed files with 31 additions and 2 deletions
--- a/app/server/lib/Triggers.ts
+++ b/app/server/lib/Triggers.ts
@@ -772,6 +772,17 @@ export function isUrlAllowed(urlString: string) {
    return false;
  }

+  // Support at most https and http.
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    return false;
+  }
+
+  // Support a wildcard that allows all domains.
+  // Allow either https or http if it is set.
+  if (process.env.ALLOWED_WEBHOOK_DOMAINS === '*') {
+    return true;
+  }
+
  // http (no s) is only allowed for localhost for testing.
  // localhost still needs to be explicitly permitted, and it shouldn't be outside dev
  if (url.protocol !== "https:" && url.hostname !== "localhost") {