From 85824faa2b8f25ca7a81755fba6e4a6ea9a668aa Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Tue, 25 Feb 2025 10:31:39 +0200
Subject: [PATCH] https webhooks

---
 lib/send_webhook_request.rb | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/send_webhook_request.rb b/lib/send_webhook_request.rb
index d2e6ebf4..c4632c0a 100644
--- a/lib/send_webhook_request.rb
+++ b/lib/send_webhook_request.rb
@@ -3,10 +3,26 @@
 module SendWebhookRequest
   USER_AGENT = 'DocuSeal.com Webhook'
 
+  LOCALHOSTS = %w[0.0.0.0 127.0.0.1 localhost].freeze
+
+  HttpsError = Class.new(StandardError)
+  LocalhostError = Class.new(StandardError)
+
   module_function
 
   def call(webhook_url, event_type:, data:)
-    Faraday.post(webhook_url.url) do |req|
+    uri = begin
+      URI(webhook_url.url)
+    rescue URI::Error
+      Addressable::URI.parse(webhook_url.url).normalize
+    end
+
+    if Docuseal.multitenant?
+      raise HttpsError, 'Only HTTPS is allowed.' if uri.scheme != 'https'
+      raise LocalhostError, "Can't send to localhost." if uri.host.in?(LOCALHOSTS)
+    end
+
+    Faraday.post(uri) do |req|
       req.headers['Content-Type'] = 'application/json'
       req.headers['User-Agent'] = USER_AGENT
       req.headers.merge!(webhook_url.secret.to_h) if webhook_url.secret.present?