Skip to content

fix: template webhooks fire (B1) + reject path traversal in import (B7)#63

Merged
ball42 merged 5 commits into
developfrom
fix/b1-template-webhooks
Jul 8, 2026
Merged

fix: template webhooks fire (B1) + reject path traversal in import (B7)#63
ball42 merged 5 commits into
developfrom
fix/b1-template-webhooks

Conversation

@ball42

@ball42 ball42 commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Fixes the flagship template-webhooks bug (internal ref J3 / B1) plus a path-traversal hardening (B7) found alongside it. Verified against the smoke harness added in #62.

B1 — template webhooks never fired

Enabled/imported template webhooks were registered without auth fields, so the receiver's validate_webhook compared missing keys against the "null" no-auth sentinel and always returned 401 — every template webhook silently never triggered. Root cause: template_view bypassed bin/data_store with private JSON helpers that omitted the auth-field shape.

  • Write-side: template_view now persists webhooks through bin/data_store.add_webhook with the canonical webhook_username/webhook_password/api_key shape (defaulting to the "null" no-auth sentinel, matching the automation handlers). The private _load_webhooks/_register_webhook helpers are removed.
  • Read-side: validate_webhook now defaults missing auth keys to "null", so an entry lacking them degrades to the documented open-webhook behavior instead of a silent 401. Previously-broken template webhooks self-heal on upgrade.
  • Script execution: template webhooks now store the absolute script path (matching the automation handlers), so the receiver's script execution actually runs them.

B7 — path traversal in template import

.jawa.json package import wrote the uploaded script to an unsanitized path. Import now rejects filenames containing path traversal (via secure_filename) before any file is written.

Tests

New tests/test_templates.py (enable→fire, import→triggerable, canonical shape, no-direct-IO guard, traversal rejection) and an added receiver test for the missing-key self-heal. Full suite green (65 passed, 2 xfailed), ruff clean.

Notes

  • Template webhooks are open (no-auth) by default in this release; authenticated-by-default templates are planned for a future release.
  • Targets develop for the batched v3.2 release.

@ball42 ball42 merged commit 81a5493 into develop Jul 8, 2026
2 checks passed
@ball42 ball42 deleted the fix/b1-template-webhooks branch July 8, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant