Compare commits

...

3 commits

Author SHA1 Message Date
Nicolas Meienberger
1d66a20686
fix(notifications): validate webhook headers and show delivery health
Some checks failed
Release Workflow / e2e-tests (push) Has been cancelled
Release Workflow / determine-release-type (push) Has been cancelled
Release Workflow / checks (push) Has been cancelled
Release Workflow / request-docs-version-update (push) Has been cancelled
Release Workflow / build-images (push) Has been cancelled
Release Workflow / publish-release (push) Has been cancelled
2026-05-04 21:30:09 +02:00
Nicolas Meienberger
ade31e7e95
fix: avoid unnecessary webhook allowlist checks on notification edits 2026-05-04 20:18:46 +02:00
Nicolas Meienberger
6a47af58c7
fix(notifications): preserve existing destinations with target allowlist
Some checks failed
Release Workflow / determine-release-type (push) Has been cancelled
Release Workflow / checks (push) Has been cancelled
Release Workflow / e2e-tests (push) Has been cancelled
Release Workflow / build-images (push) Has been cancelled
Release Workflow / publish-release (push) Has been cancelled
Release Workflow / request-docs-version-update (push) Has been cancelled
2026-05-04 19:48:55 +02:00
17 changed files with 180 additions and 61 deletions

View file

@ -79,34 +79,6 @@ jobs:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build docker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
with:
context: .
target: production
platforms: linux/amd64
push: false
load: true
tags: local/zerobyte:ci
build-args: |
APP_VERSION=${{ needs.determine-release-type.outputs.tagname }}
- name: Scan new image for vulnerabilities
if: needs.determine-release-type.outputs.release_type == 'release'
uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7
id: scan
with:
image: local/zerobyte:ci
fail-build: false
only-fixed: true
severity-cutoff: critical
- name: upload Anchore scan report
if: needs.determine-release-type.outputs.release_type == 'release'
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6

View file

@ -116,6 +116,26 @@ Zerobyte can be customized using environment variables. Below are the available
| `RCLONE_CONFIG_DIR` | Path to the directory containing `rclone.conf` inside the container. Change this if running as a non-root user. | `/root/.config/rclone` |
| `PROVISIONING_PATH` | Path to a JSON file with operator-managed repositories and volumes to sync at startup. | (none) |
### Webhook and Notification Network Policy
Backup webhooks and outbound notification destinations that can target arbitrary network hosts are restricted by `WEBHOOK_ALLOWED_ORIGINS`.
The allowlist matches exact origins only: scheme, host, and port must match. Paths are ignored, so `https://hooks.example.com/backups` allows any path on `https://hooks.example.com`, but it does not allow `http://hooks.example.com`, `https://hooks.example.com:8443`, or `https://other.example.com`.
This policy applies to:
- backup pre/post webhook URLs
- Generic HTTP notification URLs
- Gotify server URLs
- self-hosted ntfy server URLs
- custom Shoutrrr URLs that point at generic HTTP or SMTP network targets
The public ntfy.sh service and fixed-provider notification services such as Slack, Discord, Pushover, and Telegram do not need `WEBHOOK_ALLOWED_ORIGINS`.
Backup webhooks do not follow redirects. Add the final destination origin to `WEBHOOK_ALLOWED_ORIGINS` and configure that final URL directly.
Webhook headers are stored as plain text and must use one `Key: Value` header per line. `WEBHOOK_TIMEOUT` controls backup pre/post webhook request timeouts; notification delivery uses the underlying provider sender behavior.
### Provisioned Resources
Zerobyte can sync operator-managed repositories and volumes from a JSON file at startup. This is useful when you want credentials or connection details to live in deployment-time configuration instead of being entered through the UI.

View file

@ -31,7 +31,9 @@ const WebhookFields = ({ form, phase, urlPlaceholder, bodyPlaceholder, descripti
<FormControl>
<Input {...field} type="url" placeholder={urlPlaceholder} />
</FormControl>
<FormDescription>{description}</FormDescription>
<FormDescription>
{description} The URL origin must be listed in WEBHOOK_ALLOWED_ORIGINS; redirects are not followed.
</FormDescription>
<FormMessage />
</FormItem>
)}

View file

@ -31,7 +31,8 @@ export const CustomForm = ({ form }: Props) => {
>
Shoutrrr documentation
</a>
&nbsp;for supported services and URL formats.
&nbsp;for supported services and URL formats. Custom HTTP, generic, and SMTP network targets must be listed
in WEBHOOK_ALLOWED_ORIGINS.
</FormDescription>
<FormMessage />
</FormItem>

View file

@ -15,7 +15,7 @@ const WebhookPreview = ({ values }: { values: Partial<NotificationFormValues> })
if (values.type !== "generic") return null;
const contentType = values.contentType || "application/json";
const headers = values.headers || [];
const headers = values.headers?.filter(Boolean) || [];
const useJson = values.useJson;
const titleKey = values.titleKey || "title";
const messageKey = values.messageKey || "message";
@ -60,7 +60,7 @@ export const GenericForm = ({ form }: Props) => {
<FormControl>
<Input {...field} placeholder="https://api.example.com/webhook" />
</FormControl>
<FormDescription>The target URL for the webhook.</FormDescription>
<FormDescription>The target origin must be listed in WEBHOOK_ALLOWED_ORIGINS.</FormDescription>
<FormMessage />
</FormItem>
)}
@ -110,10 +110,19 @@ export const GenericForm = ({ form }: Props) => {
{...field}
placeholder="Authorization: Bearer token&#10;X-Custom-Header: value"
value={Array.isArray(field.value) ? field.value.join("\n") : ""}
onChange={(e) => field.onChange(e.target.value.split("\n"))}
onChange={(e) =>
field.onChange(
e.target.value
.split("\n")
.map((header) => header.trim())
.filter(Boolean),
)
}
/>
</FormControl>
<FormDescription>One header per line in Key: Value format.</FormDescription>
<FormDescription>
One header per line in Key: Value format. Values are stored as plain text.
</FormDescription>
<FormMessage />
</FormItem>
)}

View file

@ -20,7 +20,9 @@ export const GotifyForm = ({ form }: Props) => {
<FormControl>
<Input {...field} placeholder="https://gotify.example.com" />
</FormControl>
<FormDescription>Your self-hosted Gotify server URL.</FormDescription>
<FormDescription>
Your self-hosted Gotify server URL. Its origin must be listed in WEBHOOK_ALLOWED_ORIGINS.
</FormDescription>
<FormMessage />
</FormItem>
)}

View file

@ -21,7 +21,10 @@ export const NtfyForm = ({ form }: Props) => {
<FormControl>
<Input {...field} placeholder="https://ntfy.example.com" />
</FormControl>
<FormDescription>Leave empty to use ntfy.sh public service.</FormDescription>
<FormDescription>
Leave empty to use ntfy.sh public service. Self-hosted ntfy origins must be listed in
WEBHOOK_ALLOWED_ORIGINS.
</FormDescription>
<FormMessage />
</FormItem>
)}

View file

@ -41,6 +41,7 @@ import {
Mail,
AtSign,
AlertCircle,
Clock,
MessageSquare,
Pencil,
Server,
@ -298,6 +299,26 @@ export function NotificationDetailsPage({ notificationId }: { notificationId: st
</div>
</Card>
<Card className="px-6 py-6">
<CardTitle className="flex items-center gap-2 mb-5">
<Clock className="h-4 w-4 text-muted-foreground" />
Delivery Health
</CardTitle>
<div className="space-y-0 divide-y divide-border/50">
<ConfigRow
icon={<Bell className="h-4 w-4" />}
label="Status"
value={getStatusLabel(data.enabled, data.status)}
/>
<ConfigRow icon={<Settings className="h-4 w-4" />} label="Enabled" value={data.enabled ? "Yes" : "No"} />
<ConfigRow
icon={<Clock className="h-4 w-4" />}
label="Last Checked"
value={data.lastChecked ? formatDateTime(data.lastChecked) : "Never"}
/>
</div>
</Card>
<Card className={cn("px-6 py-6", { hidden: !data.lastError })}>
<CardTitle className="flex items-center gap-2 mb-3 text-red-600">
<AlertCircle className="h-4 w-4" />

View file

@ -14,6 +14,13 @@ export const NOTIFICATION_TYPES = {
export type NotificationType = keyof typeof NOTIFICATION_TYPES;
const headerNamePattern = /^[A-Za-z0-9-]+$/;
const notificationHeaderSchema = z.string().refine((header) => {
const [key, value] = header.split(":", 2);
return !!key && headerNamePattern.test(key.trim()) && (value?.trim().length ?? 0) > 0;
}, "Headers must use non-empty Key: Value format with valid header names");
export const emailNotificationConfigSchema = z.object({
type: z.literal("email"),
smtpHost: z.string().min(1),
@ -79,7 +86,7 @@ export const genericNotificationConfigSchema = z.object({
url: z.string().min(1),
method: z.enum(["GET", "POST"]),
contentType: z.string().optional(),
headers: z.array(z.string()).optional(),
headers: z.array(notificationHeaderSchema).optional(),
useJson: z.boolean().optional(),
titleKey: z.string().optional(),
messageKey: z.string().optional(),

View file

@ -424,6 +424,7 @@ describe("backup execution - validation failures", () => {
describe("stop backup", () => {
test("should keep restic warning details when backup completes with read errors", async () => {
const { resticBackupMock } = setup();
const notificationSpy = vi.spyOn(notificationsService, "sendBackupNotification").mockResolvedValue();
const volume = await createTestVolume();
const repository = await createTestRepository();
const schedule = await createTestBackupSchedule({
@ -446,6 +447,11 @@ describe("stop backup", () => {
const updatedSchedule = await getScheduleByIdOrShortId(schedule.id);
expect(updatedSchedule.lastBackupStatus).toBe("warning");
expect(updatedSchedule.lastBackupError).toBe("error: open /mnt/data/private.db: permission denied");
expect(notificationSpy).toHaveBeenLastCalledWith(
schedule.id,
"warning",
expect.objectContaining({ error: "error: open /mnt/data/private.db: permission denied" }),
);
});
test("should store restic diagnostic details instead of the generic summary on hard failure", async () => {

View file

@ -201,6 +201,7 @@ export async function finalizeSuccessfulBackup(
volumeName: ctx.volume.name,
repositoryName: ctx.repository.name,
scheduleName: ctx.schedule.name,
error: finalStatus === "warning" ? (warningDetails ?? undefined) : undefined,
summary: result ?? undefined,
})
.catch((error) => {

View file

@ -2,7 +2,7 @@ import { describe, expect, test } from "vitest";
import { assertNotificationTargetAllowed } from "../utils/notification-target-policy";
describe("assertNotificationTargetAllowed", () => {
test("requires email SMTP targets to match the allowlist", () => {
test("allows built-in email SMTP targets without the webhook allowlist", () => {
const notificationConfig = {
type: "email" as const,
smtpHost: "smtp.example.com",
@ -12,12 +12,7 @@ describe("assertNotificationTargetAllowed", () => {
useTLS: true,
};
expect(() => assertNotificationTargetAllowed(notificationConfig, [])).toThrow(
"Add smtp://smtp.example.com:587 to WEBHOOK_ALLOWED_ORIGINS",
);
expect(() => assertNotificationTargetAllowed(notificationConfig, ["smtp://smtp.example.com:587"])).not.toThrow();
expect(() => assertNotificationTargetAllowed(notificationConfig, ["smtp://smtp.example.com:25"])).toThrow();
expect(() => assertNotificationTargetAllowed(notificationConfig, [])).not.toThrow();
});
test("rejects notification types that are not classified by the SSRF policy", () => {

View file

@ -6,6 +6,7 @@ import { createTestSession } from "~/test/helpers/auth";
import * as shoutrrr from "~/server/utils/shoutrrr";
import { notificationsService } from "../notifications.service";
import { serverEvents } from "~/server/core/events";
import { cryptoUtils } from "~/server/utils/crypto";
afterEach(() => {
vi.restoreAllMocks();
@ -84,3 +85,62 @@ describe("notificationsService.testDestination", () => {
});
});
});
describe("notificationsService.updateDestination", () => {
test("updates metadata for an existing encrypted custom destination without revalidating the encrypted URL", async () => {
const { organizationId, user } = await createTestSession();
await withContext({ organizationId, userId: user.id }, async () => {
const resolveSecretSpy = vi.spyOn(cryptoUtils, "resolveSecret").mockResolvedValue("discord://token@webhookid");
const [destination] = await db
.insert(notificationDestinationsTable)
.values({
name: "Custom webhook",
type: "custom",
config: { type: "custom", shoutrrrUrl: "encv1:stored-secret" },
organizationId,
})
.returning();
const updated = await notificationsService.updateDestination(destination.id, { name: "Renamed webhook" });
expect(updated.name).toBe("Renamed webhook");
expect(updated.config).toMatchObject({ type: "custom", shoutrrrUrl: "encv1:stored-secret" });
expect(resolveSecretSpy).not.toHaveBeenCalled();
});
});
test("updates metadata for an existing destination without requiring webhook allowlist when config is unchanged", async () => {
const { organizationId, user } = await createTestSession();
await withContext({ organizationId, userId: user.id }, async () => {
const existingConfig = {
type: "generic" as const,
url: "https://hooks.example.com/backup",
method: "POST" as const,
};
const [destination] = await db
.insert(notificationDestinationsTable)
.values({
name: "Generic webhook",
type: "generic",
config: existingConfig,
organizationId,
})
.returning();
const updated = await notificationsService.updateDestination(destination.id, {
name: "Renamed webhook",
config: existingConfig,
});
expect(updated.name).toBe("Renamed webhook");
expect(updated.config).toMatchObject({
type: "generic",
url: "https://hooks.example.com/backup",
method: "POST",
});
});
});
});

View file

@ -104,16 +104,23 @@ const updateDestination = async (
updateData.enabled = updates.enabled;
}
const newConfigResult = notificationConfigSchema.safeParse(updates.config || existing.config);
if (!newConfigResult.success) {
throw new BadRequestError("Invalid notification configuration");
}
const newConfig = newConfigResult.data;
assertNotificationTargetAllowed(newConfig, serverConfig.webhookAllowedOrigins);
if (updates.config !== undefined) {
const newConfigResult = notificationConfigSchema.safeParse(updates.config);
if (!newConfigResult.success) {
throw new BadRequestError("Invalid notification configuration");
}
const newConfig = newConfigResult.data;
const resolvedConfig = await decryptNotificationConfig(newConfig);
const existingConfig = await decryptNotificationConfig(existing.config);
const encryptedConfig = await encryptNotificationConfig(newConfig);
updateData.config = encryptedConfig;
updateData.type = newConfig.type;
if (JSON.stringify(resolvedConfig) !== JSON.stringify(existingConfig)) {
assertNotificationTargetAllowed(resolvedConfig, serverConfig.webhookAllowedOrigins);
const encryptedConfig = await encryptNotificationConfig(newConfig);
updateData.config = encryptedConfig;
updateData.type = newConfig.type;
}
}
const [updated] = await db
.update(notificationDestinationsTable)

View file

@ -115,12 +115,7 @@ const getCustomShoutrrrTarget = (shoutrrrUrl: string) => {
const getNotificationTarget = (notificationConfig: NotificationConfig) => {
switch (notificationConfig.type) {
case "email": {
const smtpTarget = new URL("smtp://placeholder");
smtpTarget.hostname = notificationConfig.smtpHost;
smtpTarget.port = String(notificationConfig.smtpPort);
return `${smtpTarget.protocol}//${smtpTarget.host}`;
}
case "email":
case "slack":
case "discord":
case "pushover":

View file

@ -2,7 +2,7 @@ import { Effect } from "effect";
import { HttpResponse, http } from "msw";
import { setupServer } from "msw/node";
import { afterAll, afterEach, beforeAll, expect, test } from "vitest";
import { runBackupLifecycle } from "../index.js";
import { backupWebhookConfigSchema, runBackupLifecycle } from "../index.js";
const server = setupServer();
@ -458,6 +458,16 @@ test("rejects oversized webhook request bodies and headers", async () => {
expect(headersResult).toEqual({ status: "failed", error: "Webhook request headers exceed 8192 bytes" });
});
test("rejects malformed webhook header lines", () => {
expect(() => backupWebhookConfigSchema.parse({ url: "http://localhost:8080/pre", headers: ["Malformed"] })).toThrow(
"Headers must use non-empty Key: Value format with valid header names",
);
expect(() =>
backupWebhookConfigSchema.parse({ url: "http://localhost:8080/pre", headers: ["Bad Header: value"] }),
).toThrow("Headers must use non-empty Key: Value format with valid header names");
});
test("cancels before the pre-backup webhook without running the backup", async () => {
const abortController = new AbortController();
let backupRan = false;

View file

@ -6,9 +6,15 @@ import { toErrorDetails, toMessage } from "../utils/index.js";
const MAX_BACKUP_WEBHOOK_BODY_BYTES = 64 * 1024;
const MAX_BACKUP_WEBHOOK_HEADERS = 32;
const MAX_BACKUP_WEBHOOK_HEADER_BYTES = 8 * 1024;
const HEADER_NAME_PATTERN = /^[A-Za-z0-9-]+$/;
const getByteLength = (value: string) => new TextEncoder().encode(value).byteLength;
const getUrlOrigin = (url: string) => (URL.canParse(url) ? new URL(url).origin : null);
const isValidHeaderLine = (header: string) => {
const [key, value] = header.split(":", 2);
return !!key && HEADER_NAME_PATTERN.test(key.trim()) && (value?.trim().length ?? 0) > 0;
};
export const isAllowedWebhookUrl = (url: string, allowedOrigins: readonly string[]) => {
const webhookOrigin = getUrlOrigin(url);
@ -17,7 +23,9 @@ export const isAllowedWebhookUrl = (url: string, allowedOrigins: readonly string
export const backupWebhookConfigSchema = z.object({
url: z.url(),
headers: z.array(z.string()).optional(),
headers: z
.array(z.string().refine(isValidHeaderLine, "Headers must use non-empty Key: Value format with valid header names"))
.optional(),
body: z.string().optional(),
});