hub: prevent non-admin users from sending test alerts to internal hosts

2026-04-10 15:02:09 +02:00 · 2026-04-07 16:08:28 -04:00
parent 06fdd0e7a8
commit c3dffff5e4
5 changed files with 220 additions and 46 deletions
--- a/internal/alerts/alerts_api.go
+++ b/internal/alerts/alerts_api.go
@@ -3,7 +3,11 @@ package alerts
 import (
 	"database/sql"
 	"errors"
+	"net"
 	"net/http"
+	"net/url"
+	"slices"
+	"strings"

 	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core"
@@ -127,9 +131,62 @@ func (am *AlertManager) SendTestNotification(e *core.RequestEvent) error {
 	if err != nil || data.URL == "" {
 		return e.BadRequestError("URL is required", err)
 	}
+	// Only allow admins to send test notifications to internal URLs
+	if !e.Auth.IsSuperuser() && e.Auth.GetString("role") != "admin" {
+		internalURL, err := isInternalURL(data.URL)
+		if err != nil {
+			return e.BadRequestError(err.Error(), nil)
+		}
+		if internalURL {
+			return e.ForbiddenError("Only admins can send to internal destinations", nil)
+		}
+	}
 	err = am.SendShoutrrrAlert(data.URL, "Test Alert", "This is a notification from Beszel.", am.hub.Settings().Meta.AppURL, "View Beszel")
 	if err != nil {
 		return e.JSON(200, map[string]string{"err": err.Error()})
 	}
 	return e.JSON(200, map[string]bool{"err": false})
 }
+
+// isInternalURL checks if the given shoutrrr URL points to an internal destination (localhost or private IP)
+func isInternalURL(rawURL string) (bool, error) {
+	parsedURL, err := url.Parse(rawURL)
+	if err != nil {
+		return false, err
+	}
+
+	host := parsedURL.Hostname()
+	if host == "" {
+		return false, nil
+	}
+
+	if strings.EqualFold(host, "localhost") {
+		return true, nil
+	}
+
+	if ip := net.ParseIP(host); ip != nil {
+		return isInternalIP(ip), nil
+	}
+
+	// Some Shoutrrr URLs use the host position for service identifiers rather than a
+	// network hostname (for example, discord://token@webhookid). Restrict DNS lookups
+	// to names that look like actual hostnames so valid service URLs keep working.
+	if !strings.Contains(host, ".") {
+		return false, nil
+	}
+
+	ips, err := net.LookupIP(host)
+	if err != nil {
+		return false, nil
+	}
+
+	if slices.ContainsFunc(ips, isInternalIP) {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func isInternalIP(ip net.IP) bool {
+	return ip.IsPrivate() || ip.IsLoopback() || ip.IsUnspecified()
+}