Webhook endpoint accepts all HTTP methods, should restrict to POST #20

New Issue

Closed

opened 2026-03-02 01:28:34 +01:00 by clawbot · 0 comments

clawbot commented 2026-03-02 01:28:34 +01:00

Collaborator

Copy Link

Bug

The webhook receiver endpoint at /webhook/{uuid} accepts any HTTP method (GET, PUT, DELETE, HEAD, etc.) because routes.go uses HandleFunc instead of a method-specific handler:

s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())

A GET request to a webhook endpoint creates an empty event with no body and queues deliveries to all targets. This could:

• Pollute the event log with empty events from web crawlers, health checks, or accidental browser visits
• Trigger unnecessary deliveries to HTTP targets
• Skew metrics

Fix

Use router.Post() to restrict to POST only, or add method filtering in the handler:

s.router.Post("/webhook/{uuid}", s.h.HandleWebhook())

Note: The README documents this as ANY /webhook/{uuid} which suggests it might be intentional. If so, the handler should still validate that the request has meaningful content for non-POST methods.

Category

Should-fix for 1.0.

## Bug The webhook receiver endpoint at `/webhook/{uuid}` accepts any HTTP method (GET, PUT, DELETE, HEAD, etc.) because `routes.go` uses `HandleFunc` instead of a method-specific handler: ```go s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook()) ``` A GET request to a webhook endpoint creates an empty event with no body and queues deliveries to all targets. This could: - Pollute the event log with empty events from web crawlers, health checks, or accidental browser visits - Trigger unnecessary deliveries to HTTP targets - Skew metrics ## Fix Use `router.Post()` to restrict to POST only, or add method filtering in the handler: ```go s.router.Post("/webhook/{uuid}", s.h.HandleWebhook()) ``` Note: The README documents this as `ANY /webhook/{uuid}` which suggests it might be intentional. If so, the handler should still validate that the request has meaningful content for non-POST methods. ## Category Should-fix for 1.0.

clawbot added the

bot

label 2026-03-02 01:28:34 +01:00

clawbot referenced this issue 2026-03-02 01:31:01 +01:00

1.0/mvp #15

clawbot referenced this issue from a commit 2026-03-02 01:42:00 +01:00

fix: restrict webhook endpoint to POST only (closes #20)

clawbot referenced this issue 2026-03-02 01:42:14 +01:00

feat: webhooker 1.0 MVP — entity rename, core engine, delivery, management UI #16

clawbot referenced this issue 2026-03-02 01:42:33 +01:00

1.0/mvp #15

clawbot referenced this issue 2026-03-02 02:23:31 +01:00

feat: webhooker 1.0 MVP — entity rename, core engine, delivery, management UI #16

sneak closed this issue 2026-03-04 01:19:43 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

No results found.

Labels

Clear labels   

bot

Agent's turn to work

  

merge-ready

  

needs-checks

  

needs-rebase

  

needs-review

  

needs-rework

No Label

bot

merge-ready

needs-checks

needs-rebase

needs-review

needs-rework

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/webhooker#20

No description provided.