mirror of
https://github.com/chatwoot/chatwoot.git
synced 2026-06-13 21:01:16 +08:00
7c16071fc7
Self-hosted installations can now opt SafeFetch into private-network access after SSRF hardening. The default remains unchanged: private IP destinations are blocked unless the instance owner explicitly enables private-network requests with `SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true`. Fixes https://linear.app/chatwoot/issue/CW-7131 Fixes https://github.com/chatwoot/chatwoot/issues/14489 Fixes https://github.com/chatwoot/chatwoot/issues/14494 ## How to use For self-hosted installations that need API inbox webhooks, or other SafeFetch-backed requests, to call trusted private services, enable private-network access with a single environment variable: ```bash SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true ``` This is disabled by default. Enable it only when the instance owner controls the deployment network and trusts the configured URLs. |
||
|---|---|---|
| .. | ||
| captain | ||
| email_templates | ||
| integrations | ||
| redis | ||
| webhooks | ||
| base_markdown_renderer_spec.rb | ||
| chatwoot_captcha_spec.rb | ||
| chatwoot_exception_tracker_spec.rb | ||
| chatwoot_hub_spec.rb | ||
| chatwoot_markdown_renderer_spec.rb | ||
| config_loader_spec.rb | ||
| custom_markdown_renderer_spec.rb | ||
| dyte_spec.rb | ||
| global_config_service_spec.rb | ||
| global_config_spec.rb | ||
| linear_spec.rb | ||
| online_status_tracker_spec.rb | ||
| safe_fetch_spec.rb | ||
| vapid_service_spec.rb | ||