feat: validate that webhook does not point back to app

src/app/modules/webhook/webhook.utils.ts

@@ -1,6 +1,7 @@
 import { promises as dns } from 'dns'
 import ip from 'ip'
 
+import config from '../../../config/config'
 import { isValidHttpsUrl } from '../../../shared/util/url-validation'
 
 import { WebhookValidationError } from './webhook.errors'
@@ -18,9 +19,17 @@ export const validateWebhookUrl = (webhookUrl: string): Promise<any> => {
         new WebhookValidationError(`${webhookUrl} is not a valid HTTPS URL.`),
       )
     }
-    const urlParsed = new URL(webhookUrl)
+    const webhookUrlParsed = new URL(webhookUrl)
+    const appUrlParsed = new URL(config.app.appUrl)
+    if (webhookUrlParsed.hostname === appUrlParsed.hostname) {
+      return reject(
+        new WebhookValidationError(
+          `You cannot send responses back to ${config.app.appUrl}.`,
+        ),
+      )
+    }
     dns
-      .resolve(urlParsed.hostname)
+      .resolve(webhookUrlParsed.hostname)
       .then((addresses) => {
         if (!addresses.length) {
           return reject(

tests/.test-basic-env

@@ -16,4 +16,5 @@ AWS_ACCESS_KEY_ID=fakeAccessKeyId
 AWS_SECRET_ACCESS_KEY=fakeSecretAccessKey
 SESSION_SECRET=sandcrawler-138577
 
-AWS_ENDPOINT=http://localhost:4566
+AWS_ENDPOINT=http://localhost:4566
+APP_URL=https://example.com

tests/.test-full-env

@@ -64,4 +64,6 @@ MOCK_WEBHOOK_PORT=4000
 AWS_ACCESS_KEY_ID=fakeAccessKeyId
 AWS_SECRET_ACCESS_KEY=fakeSecretAccessKey
 
-AWS_ENDPOINT=http://localhost:4566
+AWS_ENDPOINT=http://localhost:4566
+
+APP_URL=https://example.com

tests/unit/backend/modules/webhook/webhook.utils.spec.ts

@@ -37,4 +37,14 @@ describe('Webhook URL validation', () => {
       ),
     )
   })
+
+  it('should reject URLs in the same domain as the app URL', async () => {
+    await expect(
+      validateWebhookUrl('https://example.com/test'),
+    ).rejects.toStrictEqual(
+      new WebhookValidationError(
+        'You cannot send responses back to https://example.com.',
+      ),
+    )
+  })
 })