fix(api): use WebhookUrlValidator in webhook creation handler

ericfitz · claude · ericfitz · commit 688ab3c75208 · 2026-03-27T19:27:52.000-04:00
Replace inline case-sensitive string prefix checks with the proper
WebhookUrlValidator, which handles case-insensitive schemes, hostname
validation, and deny list checks. Also remove unused methods
calculateCount, loadThreatMetadata, and toGormModel.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.version b/.version
@@ -1,6 +1,6 @@
 {
   "major": 1,
   "minor": 3,
-  "patch": 1,
+  "patch": 2,
   "prerelease": ""
 }
diff --git a/api/database_store_gorm.go b/api/database_store_gorm.go
@@ -576,13 +576,6 @@ func (s *GormThreatModelStore) ListWithCounts(offset, limit int, filter func(Thr
 	return results, total
 }
 
-// calculateCount counts records in a table for a threat model using GORM
-func (s *GormThreatModelStore) calculateCount(tableName, threatModelID string) int {
-	var count int64
-	s.db.Table(tableName).Where("threat_model_id = ? AND deleted_at IS NULL", threatModelID).Count(&count)
-	return int(count)
-}
-
 // entityCounts holds pre-fetched counts for all sub-resources of a threat model.
 type entityCounts struct {
 	DocumentCount int
@@ -1217,25 +1210,6 @@ func (s *GormThreatModelStore) loadThreats(threatModelID string) ([]Threat, erro
 	return threats, nil
 }
 
-// loadThreatMetadata loads metadata for a threat using GORM
-func (s *GormThreatModelStore) loadThreatMetadata(threatID string) ([]Metadata, error) {
-	var metadataEntries []models.Metadata
-	result := s.db.Where("entity_type = ? AND entity_id = ?", "threat", threatID).Order("key ASC").Find(&metadataEntries)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-
-	var metadata []Metadata
-	for _, entry := range metadataEntries {
-		metadata = append(metadata, Metadata{
-			Key:   entry.Key,
-			Value: entry.Value,
-		})
-	}
-
-	return metadata, nil
-}
-
 // batchLoadThreatMetadata loads metadata for multiple threats in a single query.
 func (s *GormThreatModelStore) batchLoadThreatMetadata(threatIDs []string) map[string][]Metadata {
 	result := make(map[string][]Metadata, len(threatIDs))
diff --git a/api/threat_store_gorm.go b/api/threat_store_gorm.go
@@ -1037,19 +1037,6 @@ func (s *GormThreatStore) toGormModelForCreate(threat *Threat) *models.Threat {
 	return gm
 }
 
-// toGormModel converts an API Threat to a GORM model for UPDATE operations.
-// This version sets timestamps from the API model for updates.
-func (s *GormThreatStore) toGormModel(threat *Threat) *models.Threat {
-	gm := s.toGormModelForCreate(threat)
-	if threat.CreatedAt != nil {
-		gm.CreatedAt = *threat.CreatedAt
-	}
-	if threat.ModifiedAt != nil {
-		gm.ModifiedAt = *threat.ModifiedAt
-	}
-	return gm
-}
-
 // toAPIModel converts a GORM Threat model to an API model
 func (s *GormThreatStore) toAPIModel(gm *models.Threat) *Threat {
 	mitigatedBool := gm.Mitigated.Bool()
diff --git a/api/version.go b/api/version.go
@@ -50,7 +50,7 @@ var (
 	// Minor version number
 	VersionMinor = "3"
 	// Patch version number
-	VersionPatch = "1"
+	VersionPatch = "2"
 	// VersionPreRelease is the pre-release label (e.g., "rc.0", "beta.1"), empty for stable releases
 	VersionPreRelease = ""
 	// GitCommit is the git commit hash from build
diff --git a/api/webhook_handlers.go b/api/webhook_handlers.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"strings"
 	"time"
 
 	"github.com/ericfitz/tmi/internal/slogging"
@@ -151,12 +150,11 @@ func (s *Server) CreateWebhookSubscription(c *gin.Context) {
 		return
 	}
 
-	// Validate URL scheme
-	if !strings.HasPrefix(input.Url, "https://") {
-		if !s.allowHTTPWebhooks || !strings.HasPrefix(input.Url, "http://") {
-			c.JSON(http.StatusBadRequest, Error{Error: "webhook URL must use HTTPS"})
-			return
-		}
+	// Validate webhook URL (scheme, hostname, deny list)
+	urlValidator := NewWebhookUrlValidatorWithHTTP(GlobalWebhookUrlDenyListStore, s.allowHTTPWebhooks)
+	if err := urlValidator.ValidateWebhookURL(input.Url); err != nil {
+		c.JSON(http.StatusBadRequest, Error{Error: fmt.Sprintf("invalid webhook URL: %s", err.Error())})
+		return
 	}
 
 	// Generate secret if not provided
diff --git a/api/webhook_handlers_test.go b/api/webhook_handlers_test.go
@@ -690,11 +690,14 @@ func TestCreateWebhookSubscription(t *testing.T) {
 	origSubStore := GlobalWebhookSubscriptionStore
 	origQuotaStore := GlobalWebhookQuotaStore
 	origAdminStore := GlobalGroupMemberStore
+	origDenyListStore := GlobalWebhookUrlDenyListStore
 	defer func() {
 		GlobalWebhookSubscriptionStore = origSubStore
 		GlobalWebhookQuotaStore = origQuotaStore
 		GlobalGroupMemberStore = origAdminStore
+		GlobalWebhookUrlDenyListStore = origDenyListStore
 	}()
+	GlobalWebhookUrlDenyListStore = &mockDenyListStore{entries: []WebhookUrlDenyListEntry{}}
 
 	t.Run("Success_AdminCanCreate", func(t *testing.T) {
 		mockSubStore := newMockWebhookSubscriptionStore()

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"major": 1,`
`3`	`3`	`"minor": 3,`
`4`		`- "patch": 1,`
	`4`	`+ "patch": 2,`
`5`	`5`	`"prerelease": ""`
`6`	`6`	`}`