fix: restrict webhook endpoint to POST only (closes #20)
Add method check at the top of HandleWebhook, returning 405 Method Not Allowed with an Allow: POST header for any non-POST request. This prevents GET, PUT, DELETE, etc. from being accepted at entrypoint URLs.
This commit is contained in:
clawbot
@@ -15,8 +15,15 @@ const (
|
|||||||
)
|
)
|
||||||
|
|
||||||
// HandleWebhook handles incoming webhook requests at entrypoint URLs.
|
// HandleWebhook handles incoming webhook requests at entrypoint URLs.
|
||||||
|
// Only POST requests are accepted; all other methods return 405 Method Not Allowed.
|
||||||
func (h *Handlers) HandleWebhook() http.HandlerFunc {
|
func (h *Handlers) HandleWebhook() http.HandlerFunc {
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if r.Method != http.MethodPost {
|
||||||
|
w.Header().Set("Allow", "POST")
|
||||||
|
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
entrypointUUID := chi.URLParam(r, "uuid")
|
entrypointUUID := chi.URLParam(r, "uuid")
|
||||||
if entrypointUUID == "" {
|
if entrypointUUID == "" {
|
||||||
http.NotFound(w, r)
|
http.NotFound(w, r)
|
||||||
|
|||||||
@@ -109,6 +109,8 @@ func (s *Server) SetupRoutes() {
|
|||||||
r.Post("/targets", s.h.HandleTargetCreate()) // Add target
|
r.Post("/targets", s.h.HandleTargetCreate()) // Add target
|
||||||
})
|
})
|
||||||
|
|
||||||
// Entrypoint endpoint - accepts incoming webhook POST requests
|
// Entrypoint endpoint — accepts incoming webhook POST requests only.
|
||||||
|
// Using HandleFunc so the handler itself can return 405 for non-POST
|
||||||
|
// methods (chi's Method routing returns 405 without Allow header).
|
||||||
s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
|
s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user