From 5ae4c950db6aa516a31454b7a45b9480bca40a11 Mon Sep 17 00:00:00 2001
From: Enno Gelhaus <egelhaus@ennogelhaus.de>
Date: Sun, 29 Mar 2026 17:56:45 +0200
Subject: [PATCH] feat: secure /webhooks with IsSafeWebhookUrl

---
 libraries/nestjs-libraries/src/dtos/webhooks/webhooks.dto.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libraries/nestjs-libraries/src/dtos/webhooks/webhooks.dto.ts b/libraries/nestjs-libraries/src/dtos/webhooks/webhooks.dto.ts
index 47c7db72..c64f1751 100644
--- a/libraries/nestjs-libraries/src/dtos/webhooks/webhooks.dto.ts
+++ b/libraries/nestjs-libraries/src/dtos/webhooks/webhooks.dto.ts
@@ -18,6 +18,10 @@ export class WebhooksDto {
   @IsString()
   @IsUrl()
   @IsDefined()
+  @IsSafeWebhookUrl({
+    message:
+      'Webhook URL must be a public HTTPS URL and cannot point to internal network addresses',
+  })
   url: string;
 
   @Type(() => WebhooksIntegrationDto)