[Security][High] Bridge webhook HMAC verification skipped when encryption key is nil — POST /internal/webhooks/bridge/{sandboxID}

[bahdcoder]

Vulnerability

In the Bridge webhook handler, HMAC signature verification is gated on a nil check of the encryption key field. When the encryption key is nil (due to misconfiguration, feature flag disabled, or specific deployment modes), the entire HMAC verification block is skipped, and the webhook payload is processed as if it were authentic.

Impact

• An attacker can POST arbitrary webhook events to /internal/webhooks/bridge/{sandboxID} and they will be processed as legitimate Bridge events.
• Fake events can inject conversations, trigger conversation naming tasks, update conversation statuses (including marking conversations as ended or errored), and publish events to the SSE event bus.
• The sandbox last_active_at timestamp is updated, potentially skewing monitoring and billing.
• Any tenant's sandbox is affected — the sandboxID is a URL path parameter with no additional auth when HMAC is bypassed.

Endpoint

POST /internal/webhooks/bridge/{sandboxID} — the HMAC verification conditional allows the entire verification to be skipped.

Recommendation

Reject webhook requests with an explicit error when the encryption key is not configured, rather than silently skipping verification. A nil encryption key should be treated as a configuration error, not as an opt-out of security.

[bahdcoder]

Audit note — verified against main at commit 12f7522

• Handler now lives at internal/handler/bridge_webhooks.go:88-114. The verification block is still conditional on the encryption key:

  // Verify HMAC signature
  if h.encKey != nil {
      secret, err := h.encKey.DecryptString(sb.EncryptedBridgeAPIKey)
      ...
      if !verifyWebhookSignature(body, secret, timestamp, signature) {
          writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "invalid signature"})
          return
      }
  }

• Route still registered at cmd/server/serve_routes.go:62 as POST /internal/webhooks/bridge/{sandboxID}.
• Still valid: when h.encKey is nil, HMAC verification is skipped entirely and the request proceeds to event processing.