Skip to content

fix: report webhook redirects as failures instead of silent success#1740

Open
namann5 wants to merge 1 commit into
utksh1:mainfrom
namann5:fix/webhook-redirect-silent-failure
Open

fix: report webhook redirects as failures instead of silent success#1740
namann5 wants to merge 1 commit into
utksh1:mainfrom
namann5:fix/webhook-redirect-silent-failure

Conversation

@namann5

@namann5 namann5 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes #1739

\send_webhook()\ in
otification_service.py\ was validating webhook redirect targets against the SSRF blocklist but never actually following them or reporting failure. With \ ollow_redirects=False, the payload was never delivered to the final URL � yet the function returned (True, None), silently reporting success.

This means any webhook endpoint that returns a 3xx redirect causes security notifications to be silently dropped with no indication to the user.

Change

The redirect handler now returns (False, error_message)\ for all redirect outcomes instead of falling through to
eturn True, None:

Scenario Before After
Redirect to blocked IP (False, "Redirect to blocked IP range: ...")\ ? Same (unchanged)
Redirect to allowed IP ? (True, None)\ � silent failure ? (False, "Webhook returned HTTP 302 redirect to ..., payload not delivered")\
Redirect with empty Location header ? (True, None)\ � silent failure ? (False, "Webhook returned HTTP 302 with no Location header, payload not delivered")\
Redirect with relative URL (no hostname) ? (True, None)\ � silent failure ? (False, "Webhook returned HTTP 301 redirect with no hostname: ..., payload not delivered")\
Unresolvable redirect target (False, "Could not resolve redirect target: ...")\ ? Same (unchanged)

Testing

Added 3 new tests:

  • \ est_send_webhook_redirect_to_allowed_ip_reports_failure\ � redirect to a non-blocked IP returns (False, ...)\
  • \ est_send_webhook_redirect_empty_location\ � 3xx with no Location header returns (False, ...)\
  • \ est_send_webhook_redirect_relative_location\ � 3xx with relative URL returns (False, ...)\

All 35 existing notification tests continue to pass.

send_webhook() with follow_redirects=False was validating redirect
target IPs against the SSRF blocklist but then returning (True, None)
without actually delivering the payload. Security notifications would
silently fail to arrive at redirected webhook endpoints.

Now properly returns (False, ...) for all redirect outcomes:
- Redirect to blocked IP (unchanged)
- Redirect to allowed IP (new: reports non-delivery)
- Empty Location header (new: reports non-delivery)
- Relative redirect with no hostname (new: reports non-delivery)
- Unresolvable redirect target (unchanged)

Fixes utksh1#1739
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Critical: Webhook redirects silently report success without delivering payload

1 participant