diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index 038d6c4e3..c79eeb779 100644 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -35,8 +35,12 @@ class secMiddleware: logging.writeToFile(f'Path vs the final url : {pathActual}') logging.writeToFile(FinalURL) + # Define webhook pattern for secure matching + import re + webhook_pattern = re.compile(r'^/websites/[^/]+/(webhook|gitNotify)/?$') + if pathActual == "/backup/localInitiate" or pathActual == '/' or pathActual == '/verifyLogin' or pathActual == '/logout' or pathActual.startswith('/api')\ - or pathActual.endswith('/webhook') or pathActual.startswith('/cloudAPI') or pathActual.endswith('/gitNotify'): + or webhook_pattern.match(pathActual) or pathActual.startswith('/cloudAPI'): pass else: if os.path.exists(ProcessUtilities.debugPath): @@ -102,6 +106,13 @@ class secMiddleware: logging.writeToFile('Request body detected.. scanning') logging.writeToFile(str(request.body)) + # Skip validation entirely for webhook endpoints + # Webhook URLs are: /websites//webhook or /websites//gitNotify + # Use the same webhook pattern defined above + if webhook_pattern.match(pathActual): + response = self.get_response(request) + return response + # logging.writeToFile(request.body) try: data = json.loads(request.body) @@ -115,9 +126,6 @@ class secMiddleware: logging.writeToFile(f'Key being scanned {str(key)}') logging.writeToFile(f'Value being scanned {str(value)}') - if pathActual.find('gitNotify') > -1 or pathActual.endswith('/webhook') or pathActual.endswith('/gitNotify'): - break - # Skip validation for ports key to allow port ranges with colons if key == 'ports': continue