From f6dac1a2a1788696c3b2fa62d9f44179244f6289 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Mon, 13 Apr 2026 02:33:01 +0000 Subject: [PATCH] Document that LSPS5 services should double-check the destination It would be easy to implement an LSPS5 service and forget that the webhook calls are going out based on a URI and headers provided by an untrusted client, so such implementations need to make sure to check if the destination is some internal resource before sending. Reported by Jordan Mecom of Block's Security Team --- lightning-liquidity/src/lsps5/event.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lightning-liquidity/src/lsps5/event.rs b/lightning-liquidity/src/lsps5/event.rs index 30e3aea5687..f6ad6e17b02 100644 --- a/lightning-liquidity/src/lsps5/event.rs +++ b/lightning-liquidity/src/lsps5/event.rs @@ -56,6 +56,9 @@ pub enum LSPS5ServiceEvent { /// /// This is the [`webhook URL`] provided by the client during registration. /// + /// Obviously as the URL provided here is untrusted you should check whether it would + /// access any internal or private resources and decline to send the request if it is. + /// /// [`webhook URL`]: super::msgs::LSPS5WebhookUrl url: LSPS5WebhookUrl, /// Notification method with its parameters.