Gitea: server-side request forgery (SSRF) vulnerability in webhooks

Probably there should be IP/subnet blacklist which could be configured in ini file or via admin panel.
But this functionality should be configurable because in some situations webhook may point to server on the same machine.
Could be also checkbox which allows to bypass protection for certain webhooks, but this checkbox should be visible and editable by server administrators only (like regular hooks) and auto-reset to off if webhook url is modified by non-admin user.

webhook URLs should never be allowed to point to localhost, 127.0.0.1, ::1, server name, server IP address, etc (one might consider an isAdmin() exception tho)

The code that needs to get changed is here: https://github.com/go-gitea/gitea/blob/master/modules/httplib/httplib.go#L315-L339

Some similar code can be found here: https://github.com/hakobe/paranoidhttp/blob/master/client.go#L109

A note that Dial is deprecated, and should be changed to DialContext

Default IP black list should block the local network, and admin can change this by hand.

I think it needs some kind of admin setting in app.ini to disable that

I love the idea to limit webhooks using internal ip address range to admin permission since the admin has knowledge about internal server infrastructure / services.
So if a project / repository needs that they can request an admin to add this webhook.

@daviian : still non-Admin User sind should probably not be allowed to create Webhooks pointing to the local server, or is there some use case where this seems useful (and harmless?)?

@Siesh1oo yes you're right. non-admin users shouldn't be allowed to add such webhooks. if they need to, for whatever reason, they should be required to ask an admin to do so.