Webhook endpoint accepts all HTTP methods, should restrict to POST #20

Nowe zgłoszenie

Zamknięty

otworzone 2026-03-02 01:28:34 +01:00 przez clawbot · 0 komentarzy

clawbot skomentował(-a) 2026-03-02 01:28:34 +01:00

Collaborator

Skopiuj link

Bug

The webhook receiver endpoint at /webhook/{uuid} accepts any HTTP method (GET, PUT, DELETE, HEAD, etc.) because routes.go uses HandleFunc instead of a method-specific handler:

s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())

A GET request to a webhook endpoint creates an empty event with no body and queues deliveries to all targets. This could:

• Pollute the event log with empty events from web crawlers, health checks, or accidental browser visits
• Trigger unnecessary deliveries to HTTP targets
• Skew metrics

Fix

Use router.Post() to restrict to POST only, or add method filtering in the handler:

s.router.Post("/webhook/{uuid}", s.h.HandleWebhook())

Note: The README documents this as ANY /webhook/{uuid} which suggests it might be intentional. If so, the handler should still validate that the request has meaningful content for non-POST methods.

Category

Should-fix for 1.0.

## Bug The webhook receiver endpoint at `/webhook/{uuid}` accepts any HTTP method (GET, PUT, DELETE, HEAD, etc.) because `routes.go` uses `HandleFunc` instead of a method-specific handler: ```go s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook()) ``` A GET request to a webhook endpoint creates an empty event with no body and queues deliveries to all targets. This could: - Pollute the event log with empty events from web crawlers, health checks, or accidental browser visits - Trigger unnecessary deliveries to HTTP targets - Skew metrics ## Fix Use `router.Post()` to restrict to POST only, or add method filtering in the handler: ```go s.router.Post("/webhook/{uuid}", s.h.HandleWebhook()) ``` Note: The README documents this as `ANY /webhook/{uuid}` which suggests it might be intentional. If so, the handler should still validate that the request has meaningful content for non-POST methods. ## Category Should-fix for 1.0.

clawbot odwołał(-a) się do tego zgłoszenia 2026-03-02 01:31:01 +01:00

1.0/mvp #15

clawbot wspomniał(-a) to zgłoszenie z commita 2026-03-02 01:42:00 +01:00

fix: restrict webhook endpoint to POST only (closes #20)

clawbot odwołał(-a) się do tego zgłoszenia 2026-03-02 01:42:14 +01:00

feat: webhooker 1.0 MVP — entity rename, core engine, delivery, management UI #16

clawbot odwołał(-a) się do tego zgłoszenia 2026-03-02 01:42:33 +01:00

1.0/mvp #15

clawbot odwołał(-a) się do tego zgłoszenia 2026-03-02 02:23:31 +01:00

feat: webhooker 1.0 MVP — entity rename, core engine, delivery, management UI #16

sneak zamknął(-ęła) to zgłoszenie 2026-03-04 01:19:43 +01:00

Zaloguj się, aby dołączyć do tej rozmowy.

Nie określono gałęzi/etykiety

Gałęzie Tagi

main

No results found.

Etykiety

Wyczyść etykiety

merge-ready

needs-checks

needs-rebase

needs-review

needs-rework

Brak etykiety

Kamień milowy

Brak elementów

Brak kamienia milowego

Projekty

Wyczyść projekty

Brak projektu

Przypisani

Usuń przypisanych

clawbot sneak

Brak przypisanych

Uczestnicy 1

Powiadomienia

Subskrybuj

Termin realizacji

Brak ustawionego terminu realizacji.

Zależności

No dependencies set.

Reference: sneak/webhooker#20