Hardening: require LINE webhook signatures (openclaw#44090)

vincentkoc · web-flow · commit 48cbfdfac088 · 2026-03-12T10:50:36.000-04:00
* LINE: require webhook signatures in express handler

* LINE: require webhook signatures in node handler

* LINE: update express signature tests

* LINE: update node signature tests

* Changelog: note LINE webhook hardening

* LINE: validate signatures before parsing webhook bodies

* LINE: reject missing signatures before body reads
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ Docs: https://docs.openclaw.ai
 - Security/browser.request: block persistent browser profile create/delete routes from write-scoped `browser.request` so callers can no longer persist admin-only browser profile changes through the browser control surface. (`GHSA-vmhq-cqm9-6p7q`)(#43800) Thanks @tdjackey and @vincentkoc.
 - Security/agent: reject public spawned-run lineage fields and keep workspace inheritance on the internal spawned-session path so external `agent` callers can no longer override the gateway workspace boundary. (`GHSA-2rqg-gjgv-84jm`)(#43801) Thanks @tdjackey and @vincentkoc.
 - Security/exec allowlist: preserve POSIX case sensitivity and keep `?` within a single path segment so exact-looking allowlist patterns no longer overmatch executables across case or directory boundaries. (`GHSA-f8r2-vg7x-gh8m`)(#43798) Thanks @zpbrent and @vincentkoc.
+- Security/LINE webhook: require signatures for empty-event POST probes too so unsigned requests no longer confirm webhook reachability with a `200` response. (`GHSA-mhxh-9pjm-w7q5`)(#44090) Thanks @TerminalsandCoffee and @vincentkoc.
 
 ### Changes
 
diff --git a/src/line/webhook-node.test.ts b/src/line/webhook-node.test.ts
@@ -86,13 +86,26 @@ describe("createLineNodeWebhookHandler", () => {
     expect(res.body).toBeUndefined();
   });
 
-  it("returns 200 for verification request (empty events, no signature)", async () => {
+  it("rejects verification-shaped requests without a signature", async () => {
     const rawBody = JSON.stringify({ events: [] });
     const { bot, handler } = createPostWebhookTestHarness(rawBody);
 
     const { res, headers } = createRes();
     await handler({ method: "POST", headers: {} } as unknown as IncomingMessage, res);
 
+    expect(res.statusCode).toBe(400);
+    expect(headers["content-type"]).toBe("application/json");
+    expect(res.body).toBe(JSON.stringify({ error: "Missing X-Line-Signature header" }));
+    expect(bot.handleWebhook).not.toHaveBeenCalled();
+  });
+
+  it("accepts signed verification-shaped requests without dispatching events", async () => {
+    const rawBody = JSON.stringify({ events: [] });
+    const { bot, handler, secret } = createPostWebhookTestHarness(rawBody);
+
+    const { res, headers } = createRes();
+    await runSignedPost({ handler, rawBody, secret, res });
+
     expect(res.statusCode).toBe(200);
     expect(headers["content-type"]).toBe("application/json");
     expect(res.body).toBe(JSON.stringify({ status: "ok" }));
@@ -121,13 +134,10 @@ describe("createLineNodeWebhookHandler", () => {
     expect(bot.handleWebhook).not.toHaveBeenCalled();
   });
 
-  it("uses a tight body-read limit for unsigned POST requests", async () => {
+  it("rejects unsigned POST requests before reading the body", async () => {
     const bot = { handleWebhook: vi.fn(async () => {}) };
     const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
-    const readBody = vi.fn(async (_req: IncomingMessage, maxBytes: number) => {
-      expect(maxBytes).toBe(4096);
-      return JSON.stringify({ events: [{ type: "message" }] });
-    });
+    const readBody = vi.fn(async () => JSON.stringify({ events: [{ type: "message" }] }));
     const handler = createLineNodeWebhookHandler({
       channelSecret: "secret",
       bot,
@@ -139,7 +149,7 @@ describe("createLineNodeWebhookHandler", () => {
     await handler({ method: "POST", headers: {} } as unknown as IncomingMessage, res);
 
     expect(res.statusCode).toBe(400);
-    expect(readBody).toHaveBeenCalledTimes(1);
+    expect(readBody).not.toHaveBeenCalled();
     expect(bot.handleWebhook).not.toHaveBeenCalled();
   });
 
diff --git a/src/line/webhook-node.ts b/src/line/webhook-node.ts
@@ -8,11 +8,10 @@ import {
 } from "../infra/http-body.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { validateLineSignature } from "./signature.js";
-import { isLineWebhookVerificationRequest, parseLineWebhookBody } from "./webhook-utils.js";
+import { parseLineWebhookBody } from "./webhook-utils.js";
 
 const LINE_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024;
 const LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES = 64 * 1024;
-const LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES = 4 * 1024;
 const LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS = 5_000;
 
 export async function readLineWebhookRequestBody(
@@ -65,37 +64,25 @@ export function createLineNodeWebhookHandler(params: {
       const signatureHeader = req.headers["x-line-signature"];
       const signature =
         typeof signatureHeader === "string"
-          ? signatureHeader
+          ? signatureHeader.trim()
           : Array.isArray(signatureHeader)
-            ? signatureHeader[0]
-            : undefined;
-      const hasSignature = typeof signature === "string" && signature.trim().length > 0;
-      const bodyLimit = hasSignature
-        ? Math.min(maxBodyBytes, LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES)
-        : Math.min(maxBodyBytes, LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES);
-      const rawBody = await readBody(req, bodyLimit, LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS);
+            ? (signatureHeader[0] ?? "").trim()
+            : "";
 
-      // Parse once; we may need it for verification requests and for event processing.
-      const body = parseLineWebhookBody(rawBody);
-
-      // LINE webhook verification sends POST {"events":[]} without a
-      // signature header. Return 200 so the LINE Developers Console
-      // "Verify" button succeeds.
-      if (!hasSignature) {
-        if (isLineWebhookVerificationRequest(body)) {
-          logVerbose("line: webhook verification request (empty events, no signature) - 200 OK");
-          res.statusCode = 200;
-          res.setHeader("Content-Type", "application/json");
-          res.end(JSON.stringify({ status: "ok" }));
-          return;
-        }
+      if (!signature) {
         logVerbose("line: webhook missing X-Line-Signature header");
         res.statusCode = 400;
         res.setHeader("Content-Type", "application/json");
         res.end(JSON.stringify({ error: "Missing X-Line-Signature header" }));
         return;
       }
 
+      const rawBody = await readBody(
+        req,
+        Math.min(maxBodyBytes, LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES),
+        LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS,
+      );
+
       if (!validateLineSignature(rawBody, signature, params.channelSecret)) {
         logVerbose("line: webhook signature validation failed");
         res.statusCode = 401;
@@ -104,6 +91,8 @@ export function createLineNodeWebhookHandler(params: {
         return;
       }
 
+      const body = parseLineWebhookBody(rawBody);
+
       if (!body) {
         res.statusCode = 400;
         res.setHeader("Content-Type", "application/json");
diff --git a/src/line/webhook-utils.ts b/src/line/webhook-utils.ts
@@ -7,9 +7,3 @@ export function parseLineWebhookBody(rawBody: string): WebhookRequestBody | null
     return null;
   }
 }
-
-export function isLineWebhookVerificationRequest(
-  body: WebhookRequestBody | null | undefined,
-): boolean {
-  return !!body && Array.isArray(body.events) && body.events.length === 0;
-}
diff --git a/src/line/webhook.test.ts b/src/line/webhook.test.ts
@@ -87,17 +87,34 @@ describe("createLineWebhookMiddleware", () => {
     expect(onEvents).not.toHaveBeenCalled();
   });
 
-  it("returns 200 for verification request (empty events, no signature)", async () => {
+  it("rejects verification-shaped requests without a signature", async () => {
     const { res, onEvents } = await invokeWebhook({
       body: JSON.stringify({ events: [] }),
       headers: {},
       autoSign: false,
     });
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: "Missing X-Line-Signature header" });
+    expect(onEvents).not.toHaveBeenCalled();
+  });
+
+  it("accepts signed verification-shaped requests without dispatching events", async () => {
+    const { res, onEvents } = await invokeWebhook({
+      body: JSON.stringify({ events: [] }),
+    });
     expect(res.status).toHaveBeenCalledWith(200);
     expect(res.json).toHaveBeenCalledWith({ status: "ok" });
     expect(onEvents).not.toHaveBeenCalled();
   });
 
+  it("rejects oversized signed payloads before JSON parsing", async () => {
+    const largeBody = JSON.stringify({ events: [], payload: "x".repeat(70 * 1024) });
+    const { res, onEvents } = await invokeWebhook({ body: largeBody });
+    expect(res.status).toHaveBeenCalledWith(413);
+    expect(res.json).toHaveBeenCalledWith({ error: "Payload too large" });
+    expect(onEvents).not.toHaveBeenCalled();
+  });
+
   it("rejects missing signature when events are non-empty", async () => {
     const { res, onEvents } = await invokeWebhook({
       body: JSON.stringify({ events: [{ type: "message" }] }),
diff --git a/src/line/webhook.ts b/src/line/webhook.ts
@@ -3,7 +3,9 @@ import type { Request, Response, NextFunction } from "express";
 import { logVerbose, danger } from "../globals.js";
 import type { RuntimeEnv } from "../runtime.js";
 import { validateLineSignature } from "./signature.js";
-import { isLineWebhookVerificationRequest, parseLineWebhookBody } from "./webhook-utils.js";
+import { parseLineWebhookBody } from "./webhook-utils.js";
+
+const LINE_WEBHOOK_MAX_RAW_BODY_BYTES = 64 * 1024;
 
 export interface LineWebhookOptions {
   channelSecret: string;
@@ -39,33 +41,31 @@ export function createLineWebhookMiddleware(
   return async (req: Request, res: Response, _next: NextFunction): Promise<void> => {
     try {
       const signature = req.headers["x-line-signature"];
-      const rawBody = readRawBody(req);
-      const body = parseWebhookBody(req, rawBody);
 
-      // LINE webhook verification sends POST {"events":[]} without a
-      // signature header.  Return 200 immediately so the LINE Developers
-      // Console "Verify" button succeeds.
       if (!signature || typeof signature !== "string") {
-        if (isLineWebhookVerificationRequest(body)) {
-          logVerbose("line: webhook verification request (empty events, no signature) - 200 OK");
-          res.status(200).json({ status: "ok" });
-          return;
-        }
         res.status(400).json({ error: "Missing X-Line-Signature header" });
         return;
       }
 
+      const rawBody = readRawBody(req);
+
       if (!rawBody) {
         res.status(400).json({ error: "Missing raw request body for signature verification" });
         return;
       }
+      if (Buffer.byteLength(rawBody, "utf-8") > LINE_WEBHOOK_MAX_RAW_BODY_BYTES) {
+        res.status(413).json({ error: "Payload too large" });
+        return;
+      }
 
       if (!validateLineSignature(rawBody, signature, channelSecret)) {
         logVerbose("line: webhook signature validation failed");
         res.status(401).json({ error: "Invalid signature" });
         return;
       }
 
+      const body = parseWebhookBody(req, rawBody);
+
       if (!body) {
         res.status(400).json({ error: "Invalid webhook payload" });
         return;

Original file line number	Diff line number	Diff line change
`@@ -7,9 +7,3 @@ export function parseLineWebhookBody(rawBody: string): WebhookRequestBody \| null`
`7`	`7`	`return null;`
`8`	`8`	`}`
`9`	`9`	`}`
`10`		`-`
`11`		`-export function isLineWebhookVerificationRequest(`
`12`		`- body: WebhookRequestBody \| null \| undefined,`
`13`		`-): boolean {`
`14`		`- return !!body && Array.isArray(body.events) && body.events.length === 0;`
`15`		`-}`