From 964b5d4e74c197f43170f22686257676d789f67b Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Thu, 18 Dec 2025 12:45:33 +0200
Subject: [PATCH] validate webhook

---
 app/jobs/send_test_webhook_request_job.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/jobs/send_test_webhook_request_job.rb b/app/jobs/send_test_webhook_request_job.rb
index 682a3aac..158363ec 100644
--- a/app/jobs/send_test_webhook_request_job.rb
+++ b/app/jobs/send_test_webhook_request_job.rb
@@ -7,6 +7,9 @@ class SendTestWebhookRequestJob
 
   USER_AGENT = 'DocuSeal.com Webhook'
 
+  HttpsError = Class.new(StandardError)
+  LocalhostError = Class.new(StandardError)
+
   def perform(params = {})
     submitter = Submitter.find_by(id: params['submitter_id'])
 
@@ -16,6 +19,17 @@ class SendTestWebhookRequestJob
 
     return unless webhook_url
 
+    if Docuseal.multitenant?
+      uri = begin
+        URI(webhook_url.url)
+      rescue URI::Error
+        Addressable::URI.parse(webhook_url.url).normalize
+      end
+
+      raise HttpsError, 'Only HTTPS is allowed.' if uri.scheme != 'https'
+      raise LocalhostError, "Can't send to localhost." if uri.host.in?(SendWebhookRequest::LOCALHOSTS)
+    end
+
     Faraday.post(webhook_url.url,
                  {
                    event_type: 'form.completed',