sneak/dnswatcher
1
0
Fork 0
Code Issues 6 Pull Requests 4 Actions 4 Packages Projects Releases Wiki Activity
8dea1b8efa
dnswatcher/internal/notify/notify.go
user 21e516e86c fix: validate webhook URL scheme/host against SSRF (gosec G704) 
Replace bare url.ParseRequestURI with parseWebhookURL that enforces:
- Scheme must be http or https (blocks file://, gopher://, etc.)
- Host must be non-empty

This provides actual SSRF protection at config load time. The nolint:gosec
annotations remain because gosec's taint analysis cannot trace validation
across function boundaries — there is no code pattern that satisfies G704
for user-configured webhook URLs. The suppression is justified by the
scheme/host validation in parseWebhookURL.
2026-02-20 00:13:02 -08:00

328 lines
6.8 KiB
Go
Raw Blame History

// Package notify provides notification delivery to Slack, Mattermost, and ntfy.
package notify
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"log/slog"
"net/http"
"net/url"
"time"
"go.uber.org/fx"
"sneak.berlin/go/dnswatcher/internal/config"
"sneak.berlin/go/dnswatcher/internal/logger"
)
// HTTP client timeout.
const httpClientTimeout = 10 * time.Second
// HTTP status code thresholds.
const httpStatusClientError = 400
// Sentinel errors for notification failures.
var (
// ErrNtfyFailed indicates the ntfy request failed.
ErrNtfyFailed = errors.New("ntfy notification failed")
// ErrSlackFailed indicates the Slack request failed.
ErrSlackFailed = errors.New("slack notification failed")
// ErrMattermostFailed indicates the Mattermost request failed.
ErrMattermostFailed = errors.New(
"mattermost notification failed",
)
// ErrInvalidScheme is returned when a URL uses a scheme
// other than http or https.
ErrInvalidScheme = errors.New(
"URL scheme must be http or https",
)
// ErrEmptyHost is returned when a URL has no host component.
ErrEmptyHost = errors.New("URL host must not be empty")
)
// parseWebhookURL parses and validates a webhook URL, ensuring it uses
// http or https and has a non-empty host. This provides real SSRF
// protection by restricting the URL scheme at configuration load time.
func parseWebhookURL(raw string) (*url.URL, error) {
u, err := url.ParseRequestURI(raw)
if err != nil {
return nil, fmt.Errorf("parsing URL: %w", err)
}
if u.Scheme != "http" && u.Scheme != "https" {
return nil, fmt.Errorf(
"%w: got %q", ErrInvalidScheme, u.Scheme,
)
}
if u.Host == "" {
return nil, ErrEmptyHost
}
return u, nil
}
// Params contains dependencies for Service.
type Params struct {
fx.In
Logger *logger.Logger
Config *config.Config
}
// Service provides notification functionality.
type Service struct {
log *slog.Logger
client *http.Client
config *config.Config
ntfyURL *url.URL
slackWebhookURL *url.URL
mattermostWebhookURL *url.URL
}
// New creates a new notify Service.
func New(
_ fx.Lifecycle,
params Params,
) (*Service, error) {
svc := &Service{
log: params.Logger.Get(),
client: &http.Client{
Timeout: httpClientTimeout,
},
config: params.Config,
}
if params.Config.NtfyTopic != "" {
u, err := parseWebhookURL(params.Config.NtfyTopic)
if err != nil {
return nil, fmt.Errorf("invalid ntfy topic URL: %w", err)
}
svc.ntfyURL = u
}
if params.Config.SlackWebhook != "" {
u, err := parseWebhookURL(params.Config.SlackWebhook)
if err != nil {
return nil, fmt.Errorf("invalid slack webhook URL: %w", err)
}
svc.slackWebhookURL = u
}
if params.Config.MattermostWebhook != "" {
u, err := parseWebhookURL(params.Config.MattermostWebhook)
if err != nil {
return nil, fmt.Errorf(
"invalid mattermost webhook URL: %w", err,
)
}
svc.mattermostWebhookURL = u
}
return svc, nil
}
// SendNotification sends a notification to all configured endpoints.
func (svc *Service) SendNotification(
ctx context.Context,
title, message, priority string,
) {
if svc.ntfyURL != nil {
go func() {
notifyCtx := context.WithoutCancel(ctx)
err := svc.sendNtfy(
notifyCtx,
svc.ntfyURL,
title, message, priority,
)
if err != nil {
svc.log.Error(
"failed to send ntfy notification",
"error", err,
)
}
}()
}
if svc.slackWebhookURL != nil {
go func() {
notifyCtx := context.WithoutCancel(ctx)
err := svc.sendSlack(
notifyCtx,
svc.slackWebhookURL,
title, message, priority,
)
if err != nil {
svc.log.Error(
"failed to send slack notification",
"error", err,
)
}
}()
}
if svc.mattermostWebhookURL != nil {
go func() {
notifyCtx := context.WithoutCancel(ctx)
err := svc.sendSlack(
notifyCtx,
svc.mattermostWebhookURL,
title, message, priority,
)
if err != nil {
svc.log.Error(
"failed to send mattermost notification",
"error", err,
)
}
}()
}
}
func (svc *Service) sendNtfy(
ctx context.Context,
topicURL *url.URL,
title, message, priority string,
) error {
svc.log.Debug(
"sending ntfy notification",
"topic", topicURL.String(),
"title", title,
)
request, err := http.NewRequestWithContext(
ctx,
http.MethodPost,
topicURL.String(),
bytes.NewBufferString(message),
)
if err != nil {
return fmt.Errorf("creating ntfy request: %w", err)
}
request.Header.Set("Title", title)
request.Header.Set("Priority", ntfyPriority(priority))
resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
if err != nil {
return fmt.Errorf("sending ntfy request: %w", err)
}
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode >= httpStatusClientError {
return fmt.Errorf(
"%w: status %d", ErrNtfyFailed, resp.StatusCode,
)
}
return nil
}
func ntfyPriority(priority string) string {
switch priority {
case "error":
return "urgent"
case "warning":
return "high"
case "success":
return "default"
case "info":
return "low"
default:
return "default"
}
}
// SlackPayload represents a Slack/Mattermost webhook payload.
type SlackPayload struct {
Text string `json:"text"`
Attachments []SlackAttachment `json:"attachments,omitempty"`
}
// SlackAttachment represents a Slack/Mattermost attachment.
type SlackAttachment struct {
Color string `json:"color"`
Title string `json:"title"`
Text string `json:"text"`
}
func (svc *Service) sendSlack(
ctx context.Context,
webhookURL *url.URL,
title, message, priority string,
) error {
svc.log.Debug(
"sending webhook notification",
"url", webhookURL.String(),
"title", title,
)
payload := SlackPayload{
Attachments: []SlackAttachment{
{
Color: slackColor(priority),
Title: title,
Text: message,
},
},
}
body, err := json.Marshal(payload)
if err != nil {
return fmt.Errorf("marshaling webhook payload: %w", err)
}
request, err := http.NewRequestWithContext(
ctx,
http.MethodPost,
webhookURL.String(),
bytes.NewBuffer(body),
)
if err != nil {
return fmt.Errorf("creating webhook request: %w", err)
}
request.Header.Set("Content-Type", "application/json")
resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
if err != nil {
return fmt.Errorf("sending webhook request: %w", err)
}
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode >= httpStatusClientError {
return fmt.Errorf(
"%w: status %d",
ErrSlackFailed, resp.StatusCode,
)
}
return nil
}
func slackColor(priority string) string {
switch priority {
case "error":
return "#dc3545"
case "warning":
return "#ffc107"
case "success":
return "#28a745"
case "info":
return "#17a2b8"
default:
return "#6c757d"
}
}
Reference in New Issue View Git Blame Copy Permalink