Skip to content

fix(security): address GitHub issues #30 and #31 (webhook SSRF, config logging)#41

Merged
ch4r10t33r merged 3 commits into
masterfrom
fix/issue-30-31-callback-ssrf-config-redact
May 12, 2026
Merged

fix(security): address GitHub issues #30 and #31 (webhook SSRF, config logging)#41
ch4r10t33r merged 3 commits into
masterfrom
fix/issue-30-31-callback-ssrf-config-redact

Conversation

@ch4r10t33r
Copy link
Copy Markdown
Member

@ch4r10t33r ch4r10t33r commented May 12, 2026

Summary

Closes #30 (SSRF / unsafe outbound webhooks) and #31 (secrets in Config Debug / startup logs).

#30 — Callback URL hardening

  • New utils::callback_security::validate_outbound_webhook_url, invoked from process_single_transaction before the job is stored.
  • Default policy: HTTPS only, reject URL userinfo, reject non-public literal IPs; for hostnames run tokio::net::lookup_host and reject if any resolved address is disallowed.
  • Escape hatches (documented in README): RELAYX_CALLBACK_ALLOW_LOOPBACK, RELAYX_CALLBACK_SKIP_SSRF_CHECKS.
  • Shared reqwest::Client for webhooks: no redirects, 30s total / 10s connect timeout.

#31 — Secret-safe logging

  • Removed #[derive(Debug)] from Config; added manual impl fmt::Debug that prints <redacted> / <none> for relayer_private_key and sentry_dsn.
  • Replaced tracing::debug!("Configuration: {:?}", config) with log_summary_for_tracing() (no secret material).

Testing

cargo test (all green).

Fixes #30. Fixes #31.

@ch4r10t33r
fix(security): webhook SSRF guard and redact secrets in Config logs
aa967a3 
- Validate context.callbackUrl before persisting (https only, no URL
  credentials, block private/reserved IPs; DNS-resolve hosts and check
  all A/AAAA targets). Optional RELAYX_CALLBACK_ALLOW_LOOPBACK and
  RELAYX_CALLBACK_SKIP_SSRF_CHECKS for dev/test.
- Webhook POST uses a shared reqwest client with redirects disabled and
  connect/send timeouts (issue #30).
- Remove derived Debug from Config; implement fmt::Debug with redacted
  relayer_private_key and sentry_dsn; add log_summary_for_tracing for
  startup logging (issue #31).
- Enable tokio net for lookup_host; document env vars in README.

Fixes #30. Fixes #31.
@ch4r10t33r
fix(ci): satisfy clippy on callback env flags; add minimal CircleCI c…
e18d4e9 
…onfig

- Replace redundant matches!(bool, true) with a small env_truthy helper
  (clippy::redundant_pattern_matching under -D warnings).
- Add .circleci/config.yml noop job so the linked CircleCI project stops
  failing with "no configuration found" until the app is disabled.
nikhilkumar1612
nikhilkumar1612 reviewed May 12, 2026
View reviewed changes
Comment thread .circleci/config.yml
Copy link
Copy Markdown
Member

@nikhilkumar1612 nikhilkumar1612 May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this only a fallback until CI is connected to circle ?

nikhilkumar1612
nikhilkumar1612 approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@nikhilkumar1612 nikhilkumar1612 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ch4r10t33r
Merge origin/master into fix/issue-30-31-callback-ssrf-config-redact
1e773f8 
Resolve callback.rs: keep OKX transaction-status webhook from master and
the shared reqwest client (no redirects, timeouts) from the security branch.
@ch4r10t33r ch4r10t33r merged commit dfba6c4 into master May 12, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikhilkumar1612 nikhilkumar1612 nikhilkumar1612 approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Relayer private key and DSN can leak via Debug logging of Config Security: SSRF and abuse risk from unvalidated context.callbackUrl

2 participants

@ch4r10t33r @nikhilkumar1612