Filter
uncanny-automator
automator_send_webhook_blocked_webhook_hosts
Filter to add additional blocked hostnames Note: Default blocked hosts cannot be removed for security Filters to add extra blocked hostnames before a webhook is sent, allowing for custom security restrictions.
add_filter( 'automator_send_webhook_blocked_webhook_hosts', $callback, 10, 2 );
Description
Allow developers to dynamically add more webhook hostnames to a blocked list when sending webhooks. This filter fires before a webhook is sent and is passed the current hostname. Note that the default blocked hosts are hardcoded for security and cannot be removed via this filter.
Usage
add_filter( 'automator_send_webhook_blocked_webhook_hosts', 'your_function_name', 10, 2 );Parameters
-
$additional_blocked_hosts(array) - Array of additional hostnames to block
-
$host(string) - The current hostname being checked
Return Value
array
Examples
/**
* Prevent sending webhooks to specific internal development hosts.
*
* This filter allows developers to add custom hostnames to the list of
* blocked webhook destinations. This is useful during development to
* prevent accidental webhook calls to local testing environments or
* staging servers that should not receive production webhook data.
*
* @param array $additional_blocked_hosts An array of hostnames to add to the blocked list.
* @param string $host The current hostname being checked.
*
* @return array The updated array of blocked hostnames.
*/
function my_custom_automator_block_webhook_hosts( $additional_blocked_hosts, $host ) {
// Define development or staging hosts that should not receive webhooks.
$my_dev_hosts = array(
'local.dev',
'staging.mywebsite.com',
'192.168.1.100', // Example of an IP address to block
);
// Merge our custom blocked hosts with any other additional hosts provided.
// The order here doesn't strictly matter as array_merge handles duplicates,
// but it's good practice to be explicit.
$updated_blocked_hosts = array_unique( array_merge( $additional_blocked_hosts, $my_dev_hosts ) );
return $updated_blocked_hosts;
}
add_filter( 'automator_send_webhook_blocked_webhook_hosts', 'my_custom_automator_block_webhook_hosts', 10, 2 );Placement
This code should be placed in the functions.php file of your active theme, a custom plugin, or using a code snippets plugin.
Source Code
src/core/lib/webhooks/class-automator-send-webhook.php:952
public static function validate_webhook_url( $url ) {
// First validate the URL format and protocol
if ( ! wp_http_validate_url( $url ) ) {
return false;
}
// Parse the URL for host
$parsed_url = wp_parse_url( $url );
$host = isset( $parsed_url['host'] ) ? strtolower( $parsed_url['host'] ) : '';
if ( empty( $host ) ) {
return false;
}
// Block localhost and common internal hostnames
$default_blocked_hosts = array(
'localhost',
'127.0.0.1',
'::1',
'internal',
'local',
'[::1]', // IPv6 localhost in brackets
);
/**
* Filter to add additional blocked hostnames
* Note: Default blocked hosts cannot be removed for security
*
* @param array $additional_blocked_hosts Array of additional hostnames to block
* @param string $host The current hostname being checked
* @return array
*/
$additional_blocked_hosts = apply_filters(
'automator_send_webhook_blocked_webhook_hosts',
array(),
$host
);
// Merge default and additional blocked hosts, ensuring defaults cannot be removed
$blocked_hosts = array_merge( $default_blocked_hosts, (array) $additional_blocked_hosts );
if ( in_array( $host, $blocked_hosts, true ) ) {
return false;
}
// Resolve hostname to IP
$ip = gethostbyname( $host );
// returns the hostname on failure.
if ( $ip === $host ) {
return false;
}
// Block AWS metadata endpoint and link-local addresses
if ( '169.254.169.254' === $ip || 0 === strpos( $ip, '169.254.' ) ) {
return false;
}
// Block private and reserved IP ranges
if ( filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE ) === false ) {
return false;
}
return true;
}