CVE-2022-X87X

The "Code Review Patch" challenge is an engaging and educational exercise designed to enhance your code review skills. In this challenge, you are presented with both the original vulnerable code and the patch that fixes the issue. Your primary objective is to identify the vulnerability in the code without immediately relying on the patch. This approach encourages a deeper understanding of common coding flaws and security vulnerabilities. However, if you find it challenging to spot the issue or want to verify your findings, you can refer to the patch (the diff file) for confirmation. The solution to the challenge is the line where the vulnerable function is defined.

This particular challenge features a scenario involving a webhook implementation in a Go application. You'll examine code from internal/route/repo/webhook.go, focusing on how webhooks are validated and created. The patch provided addresses a critical security flaw related to Server-Side Request Forgery (SSRF). The patch replaces a local function isLocalHostname with a more comprehensive utility function netutil.IsLocalHostname to prevent non-admin users from using local addresses for webhooks, thereby enhancing security.