feat(webhooks): simplify host whitelist with permissive default (mcuadros#410)

## Summary

Simplifies webhook security to follow the same trust model as local
command execution: **if you control the configuration, you control the
behavior**.

- `webhook-allowed-hosts` defaults to `*` (allow all hosts)
- Setting specific hosts enables whitelist mode
- Removed complex SSRF blocking (inconsistent with local command trust
model)

Closes mcuadros#407

## Security Model

Since Ofelia already trusts users to:
- Run arbitrary commands via `job-local`
- Execute commands in containers via `job-exec`

It applies the same trust level to webhook destinations. The user
controls the config; the user controls what happens.

## Configuration

| Setting | Behavior |
|---------|----------|
| `webhook-allowed-hosts = *` (default) | All hosts allowed |
| `webhook-allowed-hosts = hooks.slack.com, ntfy.internal` | Whitelist
mode |

### Default (self-hosted environments)
No configuration needed - all hosts work out of the box:
```ini
# No config required - webhook-allowed-hosts defaults to "*"
```

### Whitelist mode (cloud/multi-tenant deployments)
```ini
[global]
webhook-allowed-hosts = hooks.slack.com, discord.com, ntfy.internal, 192.168.1.20
```

Supports wildcards:
```ini
[global]
webhook-allowed-hosts = *.slack.com, *.internal.example.com
```

## Test Plan

- [x] Unit tests for default `*` configuration (allow all)
- [x] Unit tests for whitelist mode with specific hosts
- [x] Unit tests for wildcard matching
- [x] Documentation updated (webhooks.md, SECURITY.md)
- [x] All existing tests pass

Author: CybotTM

cli/config_webhook.go

@@ -169,6 +169,11 @@ func parseGlobalWebhookConfig(section *ini.Section, c *Config) {
 	if key, err := section.GetKey("preset-cache-dir"); err == nil {
 		c.WebhookConfigs.Global.PresetCacheDir = key.String()
 	}
+
+	// Host whitelist: "*" = allow all (default), specific list = whitelist mode
+	if key, err := section.GetKey("webhook-allowed-hosts"); err == nil {
+		c.WebhookConfigs.Global.AllowedHosts = key.String()
+	}
 }
 
 // JobWebhookConfig holds per-job webhook configuration

docs/SECURITY.md

@@ -315,31 +315,35 @@ pull = always
   ```
 
 ### A10:2021 - Server-Side Request Forgery (SSRF)
-**Protection**: URL validation and network restrictions
+**Protection**: Trust-the-config model with optional host whitelist
 
-- ✅ **SSRF Prevention** ([config/sanitizer.go](../config/sanitizer.go)):
-  ```go
-  // Blocked targets
-  localhost, 127.0.0.1, 0.0.0.0
-  192.168.x.x, 10.x.x.x, 172.16-31.x.x
-  *.local
+Ofelia follows a **trust-the-config** security model for webhooks: since users can already run arbitrary commands via local/exec jobs, the same trust level applies to webhook destinations. **All hosts are allowed by default.**
 
-  // Only http:// and https:// allowed
-  err := sanitizer.ValidateURL("https://api.example.com/webhook")
-  ```
+- ✅ **Trust Model** ([middlewares/webhook_security.go](../middlewares/webhook_security.go)):
+  - If you control the configuration, you control the behavior
+  - Same trust level as local command execution
+  - Default: `webhook-allowed-hosts = *` (allow all hosts)
 
-- ✅ **Network Isolation**:
-  - Docker network segmentation
-  - Container-to-container restrictions
-  - Egress filtering (optional)
+- ✅ **URL Validation**:
+  - Only `http://` and `https://` schemes allowed
+  - URL must have a valid hostname
 
-**Configuration**:
+- ✅ **Optional Whitelist Mode** (for multi-tenant/cloud deployments):
+  - Set specific hosts to enable whitelist mode
+  - Supports wildcards: `*.example.com`
+
+**Default** (self-hosted/trusted environments):
 ```ini
-# Restrict container networking
-network = isolated_network
+[global]
+# All hosts allowed by default (no config needed)
+# webhook-allowed-hosts = *
+```
 
-# Disable direct internet access
-dns = 10.0.0.1  # Internal DNS only
+**Whitelist Mode** (for cloud/multi-tenant deployments):
+```ini
+[global]
+# Only allow specific hosts
+webhook-allowed-hosts = hooks.slack.com, discord.com, ntfy.internal, 192.168.1.20
 ```
 
 ## Authentication & Authorization
@@ -482,7 +486,7 @@ if validator.HasErrors() {
 | Shell Injection | Command validation | `; & \| < >`, `&&`, `\|\|`, `$()`, `` ` `` |
 | Path Traversal | Path sanitization | `../`, `..\\`, `%2e%2e`, `~` |
 | XSS | HTML escaping | `<`, `>`, `&`, `"`, `'` |
-| SSRF | URL validation | `localhost`, `127.0.0.1`, private IPs |
+| SSRF | URL validation + optional whitelist | Scheme validation, optional host whitelist |
 | LDAP Injection | Character filtering | `( ) * \| & !` |
 
 **Usage Examples**:
@@ -505,7 +509,7 @@ err := sanitizer.ValidateDockerImage("nginx:1.21-alpine")
 // Environment variable validation
 err := sanitizer.ValidateEnvironmentVar("MY_VAR", "value123")
 
-// URL validation (SSRF prevention)
+// URL validation (scheme and format)
 err := sanitizer.ValidateURL("https://api.example.com/webhook")
 ```
 

docs/webhooks.md

@@ -365,22 +365,58 @@ body: |
 
 ## Security
 
-### SSRF Protection
+### Security Model
 
-Ofelia includes Server-Side Request Forgery (SSRF) protection that blocks webhooks to:
+Ofelia's webhook security follows the same trust model as local command execution: **if you control the configuration, you control the behavior**. Since Ofelia already trusts users to run arbitrary commands on the host or in containers, it applies the same trust level to webhook destinations.
 
-- Localhost and loopback addresses (`127.0.0.1`, `::1`, `localhost`)
-- Private networks (`10.x.x.x`, `172.16-31.x.x`, `192.168.x.x`)
-- Link-local addresses (`169.254.x.x`)
-- Cloud metadata endpoints (`169.254.169.254`, `metadata.google.internal`)
-- Internal hostnames (`.local`, `.internal`, `.corp`)
+### Host Whitelist
+
+The `webhook-allowed-hosts` setting controls which hosts webhooks can target:
+
+| Value | Behavior |
+|-------|----------|
+| `*` (default) | Allow all hosts - webhooks can target any URL |
+| Specific hosts | Whitelist mode - only listed hosts are allowed |
+
+#### Default: Allow All Hosts
+
+```ini
+[global]
+; Default behavior - all hosts allowed (no config needed)
+webhook-allowed-hosts = *
+```
+
+Webhooks can target any host including `192.168.x.x`, `10.x.x.x`, `localhost`, etc.
+
+#### Whitelist Mode
+
+For multi-tenant or cloud deployments, restrict webhooks to specific hosts:
+
+```ini
+[global]
+webhook-allowed-hosts = hooks.slack.com, discord.com, ntfy.sh, 192.168.1.20
+```
+
+Only the listed hosts can receive webhooks. Supports domain wildcards:
+
+```ini
+[global]
+webhook-allowed-hosts = *.slack.com, *.internal.example.com
+```
+
+#### Configuration Reference
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `webhook-allowed-hosts` | string | `*` | Host whitelist. `*` = allow all, specific list = whitelist mode. Supports domain wildcards (`*.example.com`) |
 
 ### Best Practices
 
 1. **Keep secrets secure**: Use environment variables or secret management for webhook credentials
 2. **Use HTTPS**: Always use HTTPS URLs for production webhooks
 3. **Limit remote presets**: Keep `webhook-allow-remote-presets = false` unless necessary
 4. **Audit presets**: Review remote preset sources before enabling them
+5. **Use whitelist in cloud**: Set `webhook-allowed-hosts` to specific hosts for multi-tenant deployments
 
 ## Migration from Slack Middleware
 
@@ -441,10 +477,20 @@ retry-count = 5
 retry-delay = 10s
 ```
 
-### SSRF blocked
+### Host not allowed (whitelist mode)
+
+If you've configured `webhook-allowed-hosts` with specific hosts and get "host not in allowed hosts list":
+
+1. **Add the host to the whitelist**:
+   ```ini
+   [global]
+   webhook-allowed-hosts = hooks.slack.com, 192.168.1.20, ntfy.local
+   ```
 
-If you need to send webhooks to internal services, consider:
+2. **Allow all hosts** (default behavior):
+   ```ini
+   [global]
+   webhook-allowed-hosts = *
+   ```
 
-1. Using a webhook relay service
-2. Running Ofelia with custom SSRF allowlists (requires code modification)
-3. Setting up a proxy that forwards to internal services
+See the [Host Whitelist](#host-whitelist) section for details.

middlewares/webhook.go

@@ -296,6 +296,11 @@ func NewWebhookManager(globalConfig *WebhookGlobalConfig) *WebhookManager {
 		globalConfig = DefaultWebhookGlobalConfig()
 	}
 
+	// Configure global security settings based on the webhook global config
+	// This affects URL validation and DNS rebinding protection
+	securityConfig := SecurityConfigFromGlobal(globalConfig)
+	SetGlobalSecurityConfig(securityConfig)
+
 	return &WebhookManager{
 		webhooks:     make(map[string]*WebhookConfig),
 		presetLoader: NewPresetLoader(globalConfig),

middlewares/webhook_config.go

@@ -75,6 +75,12 @@ type WebhookGlobalConfig struct {
 
 	// PresetCacheDir is the directory for caching remote presets
 	PresetCacheDir string `gcfg:"preset-cache-dir" mapstructure:"preset-cache-dir"`
+
+	// AllowedHosts controls which hosts webhooks can target.
+	// Default: "*" (allow all hosts) - consistent with local command execution trust model
+	// Set to specific hosts for whitelist mode: "hooks.slack.com, ntfy.internal, 192.168.1.20"
+	// Supports wildcards: "*.example.com"
+	AllowedHosts string `gcfg:"allowed-hosts" mapstructure:"allowed-hosts"`
 }
 
 // WebhookData is the data structure passed to webhook templates
@@ -141,6 +147,7 @@ func DefaultWebhookGlobalConfig() *WebhookGlobalConfig {
 		TrustedPresetSources: "",
 		PresetCacheTTL:       24 * time.Hour,
 		PresetCacheDir:       cacheDir,
+		AllowedHosts:         "*", // Default: allow all hosts (consistent with local command trust model)
 	}
 }