RFE: whitelisted blocks of IP addresses for webhooks should be configurable
jumanjiman opened this issue · comments
Current
Whitelisted IPs are hardcoded in the source, such as
Lines 13 to 19 in 1a56540
This makes sense and is user-friendly for people who use BitBucket hosted.
Request for enhancement
Add a config option hook_ips to allow a list of whitelisted IP blocks (single or CIDR block).
If the config option is not provided in config, the git plugin should use the default values (that are currently hardcoded).
Example of proposed config:
git {
repo <some_uri>
path <some_path>
hook /my_hook
hook_type bitbucket
# override the default IP whitelist
hook_ips 192.168.0.0/24, 10.0.1.1
}
Workaround
One current workaround for the requested behavior is to use hook_type generic since it does not have an IP whitelist.
The currently-hardcoded whitelist for Bitbucket addresses is out of date. We disabled the IP check for now as a workaround.
The current list of IP ranges for Atlassian can be found here: https://ip-ranges.atlassian.com/
But they also give other addresses to whitelist 🤔: https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html
@jumanjiman I submitted a PR to fix this, in #98.
Huge thanks for solving this 😀 👏 Works like magic now.