Invalid/Irregular sanitization of webhook URL protocols #385

reneroth · 2025-01-03T11:07:19Z

Analysis

The SwitchBot backend seems to sanitize the protocol on registered webhook URLs irregularily. This might be indicative of a deeper issue, maybe security relevant.

Expected Behavior

Protocol should always or never be taken into account for webhooks.

Steps To Reproduce

register a webhook with https https://example.org/webhook
try registering another webhook without https http://example.org/webhook -> error message webhook is exist
attempt deletion of existing https webhook but using the http url http://example.org/webhook -> gives a success message
attempt registering http://example.org/webhook again -> failure, because 3) did not actually delete the webhook, even though it gave a success message
delete https://example.org/webhook
you are now able to register http://example.org/webhook

This means the system is only SOMETIMES treating http://example.org/webhook and https://example.org/webhook as the same URL.

Logs

n/a

Configuration

n/a

Environment

REST api

Additional Context

No response

The text was updated successfully, but these errors were encountered:

reneroth added the bug Something isn't working label Jan 3, 2025

reneroth assigned chenliuyun, donavanbecker, Minsheng, SwitchBot and SwitchBot-Wonderlabs Jan 3, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid/Irregular sanitization of webhook URL protocols #385

Invalid/Irregular sanitization of webhook URL protocols #385

reneroth commented Jan 3, 2025

Invalid/Irregular sanitization of webhook URL protocols #385

Invalid/Irregular sanitization of webhook URL protocols #385

Comments

reneroth commented Jan 3, 2025

Analysis

Expected Behavior

Steps To Reproduce

Logs

Configuration

Environment

Additional Context