From 37fdd088d6db99b2ed6f3bbf6cf47f2caf6858dc Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 19 Mar 2026 12:31:29 +0100
Subject: [PATCH] feat(config): add webhooks.allownonroutableips setting

---
 config-raw.json      |  5 +++++
 pkg/config/config.go | 10 ++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/config-raw.json b/config-raw.json
index 9682f38a4..721bb1a3f 100644
--- a/config-raw.json
+++ b/config-raw.json
@@ -974,6 +974,11 @@
                     "key": "proxypassword",
                     "default_value": "",
                     "comment": "The proxy password to use when authenticating against the proxy."
+                },
+                {
+                    "key": "allownonroutableips",
+                    "default_value": "false",
+                    "comment": "If set to true, webhook target URLs may resolve to non-globally-routable IP addresses (private networks, loopback, link-local, etc). When false (the default), Vikunja blocks outgoing webhook requests to these addresses to prevent SSRF attacks. Set this to true if you need webhooks to reach services on your internal network."
                 }
             ]
         },
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 06c032e8d..12bccaf3b 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -211,10 +211,11 @@ const (
 	DefaultSettingsTimezone                    Key = `defaultsettings.timezone`
 	DefaultSettingsOverdueTaskRemindersTime    Key = `defaultsettings.overdue_tasks_reminders_time`
 
-	WebhooksEnabled        Key = `webhooks.enabled`
-	WebhooksTimeoutSeconds Key = `webhooks.timeoutseconds`
-	WebhooksProxyURL       Key = `webhooks.proxyurl`
-	WebhooksProxyPassword  Key = `webhooks.proxypassword`
+	WebhooksEnabled             Key = `webhooks.enabled`
+	WebhooksTimeoutSeconds      Key = `webhooks.timeoutseconds`
+	WebhooksProxyURL            Key = `webhooks.proxyurl`
+	WebhooksProxyPassword       Key = `webhooks.proxypassword`
+	WebhooksAllowNonRoutableIPs Key = `webhooks.allownonroutableips`
 
 	AutoTLSEnabled     Key = `autotls.enabled`
 	AutoTLSEmail       Key = `autotls.email`
@@ -466,6 +467,7 @@ func InitDefaultConfig() {
 	// Webhook
 	WebhooksEnabled.setDefault(true)
 	WebhooksTimeoutSeconds.setDefault(30)
+	WebhooksAllowNonRoutableIPs.setDefault(false)
 	// AutoTLS
 	AutoTLSRenewBefore.setDefault("720h") // 30days in hours
 	// Plugins