Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow build and preview webhooks to be called in 'private' networks #189

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

PawelBaranowski
Copy link

This fixes the problem of build/preview webhook being silently ignored when its host resolves to a private IP address. The problem originates from ActionMonitor::trigger_dispatch calling wp_safe_remote_post which in turn uses wp_http_validate_url. wp_http_validate_url deems private IP addresses invalid.

Currently it's impossible to to call a webhook in a local network. The same applies to Docker which uses private IP addressing.

Changing wp_safe_remote_post to its unsafe variant does not compromise security in this case, because:

  • webhook URLs are not dynamic or user-provided (which is the main concern of safe variants)
  • only WordPress admins can change webhook URLs

TylerBarnes and others added 3 commits August 26, 2021 15:25
* only override preview link when not doing gql requests

* remove attempt to grab existing manifest id's. this results in outdated id's

* Update CHANGELOG.md
This is needed due to 'safe' variant preventing calls to private IP addresses.
This does not compromise security, webhook URLs are not dynamic and are controlled by WordPress admins.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants