feat(config): add webhooks.allownonroutableips setting

config-raw.json

@@ -974,6 +974,11 @@
                     "key": "proxypassword",
                     "default_value": "",
                     "comment": "The proxy password to use when authenticating against the proxy."
+                },
+                {
+                    "key": "allownonroutableips",
+                    "default_value": "false",
+                    "comment": "If set to true, webhook target URLs may resolve to non-globally-routable IP addresses (private networks, loopback, link-local, etc). When false (the default), Vikunja blocks outgoing webhook requests to these addresses to prevent SSRF attacks. Set this to true if you need webhooks to reach services on your internal network."
                 }
             ]
         },

pkg/config/config.go

@@ -211,10 +211,11 @@ const (
 	DefaultSettingsTimezone                    Key = `defaultsettings.timezone`
 	DefaultSettingsOverdueTaskRemindersTime    Key = `defaultsettings.overdue_tasks_reminders_time`
 
-	WebhooksEnabled        Key = `webhooks.enabled`
-	WebhooksTimeoutSeconds Key = `webhooks.timeoutseconds`
-	WebhooksProxyURL       Key = `webhooks.proxyurl`
-	WebhooksProxyPassword  Key = `webhooks.proxypassword`
+	WebhooksEnabled             Key = `webhooks.enabled`
+	WebhooksTimeoutSeconds      Key = `webhooks.timeoutseconds`
+	WebhooksProxyURL            Key = `webhooks.proxyurl`
+	WebhooksProxyPassword       Key = `webhooks.proxypassword`
+	WebhooksAllowNonRoutableIPs Key = `webhooks.allownonroutableips`
 
 	AutoTLSEnabled     Key = `autotls.enabled`
 	AutoTLSEmail       Key = `autotls.email`
@@ -466,6 +467,7 @@ func InitDefaultConfig() {
 	// Webhook
 	WebhooksEnabled.setDefault(true)
 	WebhooksTimeoutSeconds.setDefault(30)
+	WebhooksAllowNonRoutableIPs.setDefault(false)
 	// AutoTLS
 	AutoTLSRenewBefore.setDefault("720h") // 30days in hours
 	// Plugins