Solved Issue: Critical Security Vulnerability - Unauthenticated Webhook Endpoints #174
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ated Webhook Endpoints The webhook controller was configured with skipAuth: true, allowing any user with a valid flowId to trigger workflows without authentication. Additionally, there was no signature verification mechanism to validate incoming webhook requests. This exposed the application to potential DoS attacks, unauthorized workflow executions, and data manipulation risks. This vulnerability has been addressed by: 1. Removing skipAuth: true from WEBHOOK_PARAMS in webhook-controller.ts 2. Implementing a robust webhook signature verification system: - Added webhook-secret.service.ts for secret management and signature verification - Added webhook-secret.model.ts for shared type definitions - Modified webhook.service.ts to handle webhook secrets - Added proper type definitions in fastify.d.ts The webhook endpoints now require valid signatures for all requests, using HMAC-SHA256 for signature generation and timing-safe comparison for verification. Requests without valid signatures are rejected with 401 Unauthorized responses. This resolves a critical security vulnerability that could have led to unauthorized workflow executions and potential system compromise. Fixes AIxBlock-2023#167
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #167 Critical Security Vulnerability - Unauthenticated Webhook Endpoints
Webhook Endpoints Lack Authentication and Signature Verification. The generic webhook controller, which handles all user defined webhooks for triggering workflows, is configured with
skipAuth: true. This makes the endpoints public. Furthermore, there is no signature verification mechanism to validate the authenticity of incoming requests.The client sending the webhook must use the secret to create a signature. The controller must recalculate the signature on the server side and compare it to the one in the header. If the signature is missing or invalid, the request must be rejected.
Solution Implemented
This critical vulnerability has been comprehensively addressed through two key security enhancements. First, the insecure
skipAuth: trueconfiguration has been removed fromWEBHOOK_PARAMSinwebhook-controller.tsto eliminate public access to webhook endpoints. Second, a robust webhook signature verification system has been implemented, featuring a dedicatedwebhook-secret.service.tsfor secret management and signature verification,webhook-secret.model.tsfor shared type definitions, modifications towebhook.service.tsfor proper webhook secret handling, and enhanced type definitions infastify.d.tsto ensure comprehensive type safety across the entire webhook authentication system.Security Changes
webhook-controller.ts: RemovedskipAuth: trueconfiguration and implemented signature verification checks. Modified request handling to validate webhook signatures before processing.webhook-secret.service.ts: New service dedicated to managing webhook secrets and handling signature verification. Implements HMAC-SHA256 signature generation and timing-safe comparison to prevent timing attacks.webhook-secret.model.ts: New shared type definitions for webhook secrets and signatures, ensuring consistent typing across backend and frontend components.webhook.service.ts: Enhanced webhook service to integrate secret management and signature verification. Modified workflow trigger logic to require valid signatures.fastify.d.ts: Added TypeScript type definitions for webhook authentication and signature verification to ensure type safety and better developer experience when working with webhook security features.This modular approach separates concerns between authentication, secret management, and request handling, making the security implementation both robust and maintainable.
The webhook endpoints now require valid signatures for all requests, using
HMAC-SHA256for signature generation and timing safe comparison for verification. Requests without valid signatures are rejected with 401 Unauthorized responses.This resolves a critical security vulnerability that could have led to unauthorized workflow executions and compromising the entire platform’s security and integrity.
Fixes #167