🔒 security(triggers): validate HTTP trigger proxy URL scheme at config and runtime

s-b-e-n-s-o-n · s-b-e-n-s-o-n · commit 981f7f8eeaac · 2026-04-10T08:50:52.000-04:00
- Joi schema restricts proxy URLs to http/https schemes
- Runtime parser throws a clear error on unsupported schemes instead of silently constructing a bad proxy
- Documentation clarifies the accepted proxy URL formats
diff --git a/app/triggers/providers/http/Http.test.ts b/app/triggers/providers/http/Http.test.ts
@@ -113,6 +113,15 @@ describe('HTTP Trigger', () => {
     expect(() => http.validateConfiguration(config)).toThrow();
   });
 
+  test('should reject unsupported proxy URL schemes', async () => {
+    const config = {
+      url: 'https://example.com/webhook',
+      proxy: 'ftp://proxy:21',
+    };
+
+    expect(() => http.validateConfiguration(config)).toThrow();
+  });
+
   test('should validate GET method explicitly', async () => {
     const config = {
       url: 'https://example.com/webhook',
@@ -433,6 +442,21 @@ describe('HTTP Trigger', () => {
     );
   });
 
+  test('should fail closed on unsupported proxy URL schemes at runtime', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockResolvedValue({ data: {} });
+    http.configuration = {
+      url: 'https://example.com/webhook',
+      method: 'POST',
+      proxy: 'ftp://proxy:21',
+    };
+
+    await expect(http.trigger({ name: 'test' })).rejects.toThrow(
+      'proxy URL scheme "ftp:" is unsupported',
+    );
+    expect(axios).not.toHaveBeenCalled();
+  });
+
   test('should use centralized outbound timeout when env override is set', async () => {
     const previousTimeout = process.env.DD_OUTBOUND_HTTP_TIMEOUT_MS;
     process.env.DD_OUTBOUND_HTTP_TIMEOUT_MS = '1234';
diff --git a/app/triggers/providers/http/Http.ts b/app/triggers/providers/http/Http.ts
@@ -15,10 +15,28 @@ interface HttpRequestOptions extends Omit<AxiosRequestConfig, 'proxy'> {
   };
 }
 
+const SUPPORTED_PROXY_PROTOCOLS = new Set(['http:', 'https:']);
+
 /**
  * HTTP Trigger implementation
  */
 class Http extends Trigger {
+  private parseProxyConfiguration(proxy: string): NonNullable<HttpRequestOptions['proxy']> {
+    const proxyUrl = new URL(proxy);
+    if (!SUPPORTED_PROXY_PROTOCOLS.has(proxyUrl.protocol)) {
+      throw new Error(
+        `Unable to configure HTTP trigger ${this.getId()}: proxy URL scheme "${proxyUrl.protocol}" is unsupported`,
+      );
+    }
+
+    const defaultProxyPort = proxyUrl.protocol === 'https:' ? 443 : 80;
+    const proxyPort = proxyUrl.port ? Number.parseInt(proxyUrl.port, 10) : defaultProxyPort;
+    return {
+      host: proxyUrl.hostname,
+      port: proxyPort,
+    };
+  }
+
   /**
    * Get the Trigger configuration schema.
    * @returns {*}
@@ -59,7 +77,9 @@ class Http extends Trigger {
           'auth.basic.passwordMissing': '"auth.password" is required',
           'auth.bearer.missing': '"auth.bearer" is required',
         }),
-      proxy: this.joi.string(),
+      proxy: this.joi.string().uri({
+        scheme: ['http', 'https'],
+      }),
     });
   }
 
@@ -120,13 +140,7 @@ class Http extends Trigger {
       }
     }
     if (this.configuration.proxy) {
-      const proxyUrl = new URL(this.configuration.proxy);
-      const defaultProxyPort = proxyUrl.protocol === 'https:' ? 443 : 80;
-      const proxyPort = proxyUrl.port ? Number.parseInt(proxyUrl.port, 10) : defaultProxyPort;
-      options.proxy = {
-        host: proxyUrl.hostname,
-        port: proxyPort,
-      };
+      options.proxy = this.parseProxyConfiguration(this.configuration.proxy);
     }
     const response = await axios(options);
     return response.data;
diff --git a/content/docs/current/configuration/triggers/http/index.mdx b/content/docs/current/configuration/triggers/http/index.mdx
@@ -18,7 +18,7 @@ The `http` trigger lets you send container update notifications via HTTP.
 | `DD_TRIGGER_HTTP_{trigger_name}_AUTH_USER` | ⚪ | The Auth user if BASIC Auth is enabled | | |
 | `DD_TRIGGER_HTTP_{trigger_name}_AUTH_PASSWORD` | ⚪ | The Auth user password if `BASIC` Auth is enabled | | |
 | `DD_TRIGGER_HTTP_{trigger_name}_AUTH_BEARER` | ⚪ | The Auth bearer token if `BEARER` Auth is enabled | | |
-| `DD_TRIGGER_HTTP_{trigger_name}_PROXY` | ⚪ | The HTTP Proxy | | |
+| `DD_TRIGGER_HTTP_{trigger_name}_PROXY` | ⚪ | The HTTP Proxy | Valid `http` or `https` proxy URL | |
 
 <Callout type="warn">HTTP trigger auth now fails closed. If `AUTH_TYPE=BASIC`, both `AUTH_USER` and `AUTH_PASSWORD` are required. If `AUTH_TYPE=BEARER`, `AUTH_BEARER` is required.</Callout>
 
