CodeCow/chatwoot
1
0
Fork 0
mirror of https://github.com/chatwoot/chatwoot.git synced 2026-06-04 21:02:35 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
f27bbef73b
chatwoot/lib/safe_fetch
History
Vishnu Narayanan 7c16071fc7
fix: Support allowlisted private API inbox webhooks (#14548) 
Self-hosted installations can now opt SafeFetch into private-network
access after SSRF hardening. The default remains unchanged: private IP
destinations are blocked unless the instance owner explicitly enables
private-network requests with `SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true`.

Fixes https://linear.app/chatwoot/issue/CW-7131
Fixes https://github.com/chatwoot/chatwoot/issues/14489
Fixes https://github.com/chatwoot/chatwoot/issues/14494

## How to use

For self-hosted installations that need API inbox webhooks, or other
SafeFetch-backed requests, to call trusted private services, enable
private-network access with a single environment variable:

```bash
SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true
```

This is disabled by default. Enable it only when the instance owner
controls the deployment network and trusts the configured URLs.
2026-05-26 17:03:19 +05:30
..
fetcher.rb fix: Support allowlisted private API inbox webhooks (#14548) 2026-05-26 17:03:19 +05:30
private_network_request.rb fix: Support allowlisted private API inbox webhooks (#14548) 2026-05-26 17:03:19 +05:30
request_options.rb fix: Support allowlisted private API inbox webhooks (#14548) 2026-05-26 17:03:19 +05:30