SwitchBotAPI icon indicating copy to clipboard operation
SwitchBotAPI copied to clipboard
verified publisher icon OpenWonderLabs

Invalid/Irregular sanitization of webhook URL protocols

Open reneroth opened this issue 1 year ago • 0 comments

Analysis

The SwitchBot backend seems to sanitize the protocol on registered webhook URLs irregularily. This might be indicative of a deeper issue, maybe security relevant.

Expected Behavior

Protocol should always or never be taken into account for webhooks.

Steps To Reproduce

  1. register a webhook with https https://example.org/webhook
  2. try registering another webhook without https http://example.org/webhook -> error message webhook is exist
  3. attempt deletion of existing https webhook but using the http url http://example.org/webhook -> gives a success message
  4. attempt registering http://example.org/webhook again -> failure, because 3) did not actually delete the webhook, even though it gave a success message
  5. delete https://example.org/webhook
  6. you are now able to register http://example.org/webhook

This means the system is only SOMETIMES treating http://example.org/webhook and https://example.org/webhook as the same URL.

Logs

n/a

Configuration

n/a

Environment

REST api

Additional Context

No response

reneroth avatar Jan 03 '25 11:01 reneroth