fix(security): scope webhook deploy path conflict to active webhooks

waleedlatif1 · claude · waleedlatif1 · commit 592e0484c8ee · 2026-05-30T14:48:12.000-07:00
findConflictingWebhookPathOwner omitted the isActive filter that the
runtime dispatcher (findAllWebhooksForPath) applies, so an inactive but
non-archived webhook from another workflow (e.g. after undeploy or
failure auto-disable) would permanently block any new deployment on that
path even though it never receives deliveries. Align the guard with the
runtime isActive + archivedAt filter; the earliest-owner runtime check
remains the authoritative cross-tenant protection. Also trims verbose
TSDoc on the webhook path-isolation helpers.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/lib/webhooks/deploy.ts b/apps/sim/lib/webhooks/deploy.ts
@@ -24,12 +24,12 @@ const logger = createLogger('DeployWebhookSync')
 const CREDENTIAL_SET_PREFIX = 'credentialSet:'
 
 /**
- * Returns the id of a workflow that already owns an active (non-archived)
- * webhook on the given path, when that workflow is different from the one being
- * deployed. Webhook paths are user-controlled and the database only enforces
- * uniqueness per deployment version, so without this guard two tenants could
- * register the same public path and a delivery to one would fan out to the
- * other. Returns `null` when the path is free or only used by this workflow.
+ * Returns the id of a different workflow that already owns an active webhook on
+ * the given path, or `null` if the path is free or owned by this workflow.
+ * Guards against cross-tenant path collisions, since paths are user-controlled
+ * and only unique per deployment version. Mirrors the runtime dispatcher's
+ * `isActive`/`archivedAt` filter so inactive (e.g. undeployed) webhooks — which
+ * never receive deliveries — don't permanently reserve a path.
  */
 async function findConflictingWebhookPathOwner(params: {
   path: string
@@ -40,7 +40,7 @@ async function findConflictingWebhookPathOwner(params: {
   const existing = await db
     .select({ workflowId: webhook.workflowId })
     .from(webhook)
-    .where(and(eq(webhook.path, path), isNull(webhook.archivedAt)))
+    .where(and(eq(webhook.path, path), eq(webhook.isActive, true), isNull(webhook.archivedAt)))
 
   const conflict = existing.find((row) => row.workflowId !== workflowId)
   return conflict ? conflict.workflowId : null
diff --git a/apps/sim/lib/webhooks/processor.ts b/apps/sim/lib/webhooks/processor.ts
@@ -305,17 +305,12 @@ async function findWebhookAndWorkflow(
 }
 
 /**
- * Find ALL webhooks matching a path.
+ * Finds all webhooks matching a path, scoped to a single workflow.
  *
- * Used for credential sets where multiple webhooks legitimately share the same
- * path. Legitimate fan-out is always scoped to a single workflow (credential
- * set sync only ever creates rows for one workflow), but webhook paths are
- * user-controlled and only unique per deployment version, so two different
- * workflows (tenants) can register the same public path. Dispatching a delivery
- * to webhooks across multiple workflows would let one tenant receive and process
- * another tenant's signed webhook payloads. To prevent that cross-tenant
- * collision we constrain the returned rows to the workflow that registered the
- * path first and drop any foreign rows.
+ * Legitimate fan-out (credential sets) is always within one workflow, but paths
+ * are user-controlled and only unique per deployment version, so two tenants can
+ * register the same path. On collision we keep only the workflow that registered
+ * the path first, so one tenant can never receive another's webhook deliveries.
  */
 export async function findAllWebhooksForPath(
   options: WebhookProcessorOptions
