From c5444a9437dbc490fd49090747663b1c61b893d4 Mon Sep 17 00:00:00 2001
From: sriramveeraghanta <veeraghanta.sriram@gmail.com>
Date: Thu, 5 Mar 2026 17:16:25 +0530
Subject: [PATCH] fix: ssrf webhook url for ip address

---
 apps/api/plane/app/serializers/webhook.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/api/plane/app/serializers/webhook.py b/apps/api/plane/app/serializers/webhook.py
index 7ec3dba5a5e..74ebde89205 100644
--- a/apps/api/plane/app/serializers/webhook.py
+++ b/apps/api/plane/app/serializers/webhook.py
@@ -38,7 +38,7 @@ def create(self, validated_data):
 
         for addr in ip_addresses:
             ip = ipaddress.ip_address(addr[4][0])
-            if ip.is_loopback:
+            if ip.is_private or ip.is_loopback or ip.is_reserved or ip.is_link_local:
                 raise serializers.ValidationError({"url": "URL resolves to a blocked IP address."})
 
         # Additional validation for multiple request domains and their subdomains
@@ -73,7 +73,7 @@ def update(self, instance, validated_data):
 
             for addr in ip_addresses:
                 ip = ipaddress.ip_address(addr[4][0])
-                if ip.is_loopback:
+                if ip.is_private or ip.is_loopback or ip.is_reserved or ip.is_link_local:
                     raise serializers.ValidationError({"url": "URL resolves to a blocked IP address."})
 
             # Additional validation for multiple request domains and their subdomains