coolify/tests/Unit/SendWebhookJobTest.php

<?php

use App\Jobs\SendWebhookJob;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Facades\Log;
use Tests\TestCase;

uses(TestCase::class);

it('sends webhook to valid URLs', function () {
    Http::fake(['*' => Http::response('ok', 200)]);

    $job = new SendWebhookJob(
        payload: ['event' => 'test'],
        webhookUrl: 'https://example.com/webhook'
    );

    $job->handle();

    Http::assertSent(function ($request) {
        return $request->url() === 'https://example.com/webhook';
    });
});

it('blocks webhook to loopback address', function () {
    Http::fake();
    Log::shouldReceive('warning')
        ->once()
        ->withArgs(function ($message) {
            return str_contains($message, 'blocked unsafe webhook URL');
        });

    $job = new SendWebhookJob(
        payload: ['event' => 'test'],
        webhookUrl: 'http://127.0.0.1/admin'
    );

    $job->handle();

    Http::assertNothingSent();
});

it('blocks webhook to cloud metadata endpoint', function () {
    Http::fake();
    Log::shouldReceive('warning')
        ->once()
        ->withArgs(function ($message) {
            return str_contains($message, 'blocked unsafe webhook URL');
        });

    $job = new SendWebhookJob(
        payload: ['event' => 'test'],
        webhookUrl: 'http://169.254.169.254/latest/meta-data/'
    );

    $job->handle();

    Http::assertNothingSent();
});

it('blocks webhook to localhost', function () {
    Http::fake();
    Log::shouldReceive('warning')
        ->once()
        ->withArgs(function ($message) {
            return str_contains($message, 'blocked unsafe webhook URL');
        });

    $job = new SendWebhookJob(
        payload: ['event' => 'test'],
        webhookUrl: 'http://localhost/internal-api'
    );

    $job->handle();

    Http::assertNothingSent();
});
fix(webhooks): add validation to block unsafe webhook URLs Prevent server-side request forgery (SSRF) attacks by validating webhook URLs before sending requests. Blocks loopback addresses, cloud metadata endpoints, and localhost URLs. - Add SafeWebhookUrl rule validation in SendWebhookJob.handle() - Log warning when unsafe URLs are rejected - Add comprehensive unit tests covering valid and invalid URL scenarios 2026-03-28 13:23:08 +00:00			`<?php`

			`use App\Jobs\SendWebhookJob;`
			`use Illuminate\Support\Facades\Http;`
			`use Illuminate\Support\Facades\Log;`
			`use Tests\TestCase;`

			`uses(TestCase::class);`

			`it('sends webhook to valid URLs', function () {`
			`Http::fake(['*' => Http::response('ok', 200)]);`

			`$job = new SendWebhookJob(`
			`payload: ['event' => 'test'],`
			`webhookUrl: 'https://example.com/webhook'`
			`);`

			`$job->handle();`

			`Http::assertSent(function ($request) {`
			`return $request->url() === 'https://example.com/webhook';`
			`});`
			`});`

			`it('blocks webhook to loopback address', function () {`
			`Http::fake();`
			`Log::shouldReceive('warning')`
			`->once()`
			`->withArgs(function ($message) {`
			`return str_contains($message, 'blocked unsafe webhook URL');`
			`});`

			`$job = new SendWebhookJob(`
			`payload: ['event' => 'test'],`
			`webhookUrl: 'http://127.0.0.1/admin'`
			`);`

			`$job->handle();`

			`Http::assertNothingSent();`
			`});`

			`it('blocks webhook to cloud metadata endpoint', function () {`
			`Http::fake();`
			`Log::shouldReceive('warning')`
			`->once()`
			`->withArgs(function ($message) {`
			`return str_contains($message, 'blocked unsafe webhook URL');`
			`});`

			`$job = new SendWebhookJob(`
			`payload: ['event' => 'test'],`
			`webhookUrl: 'http://169.254.169.254/latest/meta-data/'`
			`);`

			`$job->handle();`

			`Http::assertNothingSent();`
			`});`

			`it('blocks webhook to localhost', function () {`
			`Http::fake();`
			`Log::shouldReceive('warning')`
			`->once()`
			`->withArgs(function ($message) {`
			`return str_contains($message, 'blocked unsafe webhook URL');`
			`});`

			`$job = new SendWebhookJob(`
			`payload: ['event' => 'test'],`
			`webhookUrl: 'http://localhost/internal-api'`
			`);`

			`$job->handle();`

			`Http::assertNothingSent();`
			`});`