🔒 security: enforce Twilio webhook signature validation#2
Merged
Conversation
Wire up the existing validateTwilioSignature() helper as express middleware on the Twilio webhook router. Every incoming request is now verified against the X-Twilio-Signature header before any message processing occurs, preventing forged webhook calls. Requires a new TWILIO_WEBHOOK_URL env var (the full public-facing URL Twilio posts to), documented in .env.example. https://claude.ai/code/session_01KnaWLH6KQiPH5yzDK5hbX7
Add package overrides to force safe versions of three vulnerable transitive dependencies: - axios ^1.15.0 (was 1.13.5 via twilio) — fixes critical SSRF via NO_PROXY bypass and cloud metadata exfiltration via header injection - follow-redirects ^1.16.0 (was 1.15.11 via axios) — fixes moderate auth header leakage on cross-domain redirects - path-to-regexp ^8.4.0 (was 8.3.0 via express/router) — fixes high ReDoS via sequential optional groups and multiple wildcards All 5 vulnerabilities confirmed resolved via bun audit. https://claude.ai/code/session_01KnaWLH6KQiPH5yzDK5hbX7
- wgtechlabs/container-build-flow-action v1.3.1 → v1.7.1 - wgtechlabs/release-build-flow-action v1.6.0 → v1.7.0 https://claude.ai/code/session_01KnaWLH6KQiPH5yzDK5hbX7
There was a problem hiding this comment.
Pull request overview
This PR enforces Twilio webhook authenticity by validating the X-Twilio-Signature header via the existing validateTwilioSignature() helper before processing inbound WhatsApp messages.
Changes:
- Add Express middleware on the Twilio webhook router to reject requests with missing/invalid
X-Twilio-Signature. - Introduce required
TWILIO_WEBHOOK_URLconfig/env var used during signature verification. - Update dependency versions and add
package.jsonoverrides (axios/follow-redirects/path-to-regexp).
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/routes/twilio-webhook.ts | Adds signature-validation middleware ahead of webhook processing. |
| src/config.ts | Adds required twilio.webhookUrl sourced from TWILIO_WEBHOOK_URL. |
| package.json | Bumps core deps/devDeps and adds overrides affecting transitive deps. |
| bun.lock | Lockfile updates reflecting dependency bumps/overrides. |
| .env.example | Documents TWILIO_WEBHOOK_URL for signature validation. |
🔥 Container Build Complete - Patch BuildBuild Status: ✅ Success 📦 Pull ImageDocker Hub: docker pull wgtechlabs/unthread-whatsapp-bot:patch-61be7edGHCR: docker pull ghcr.io/wgtechlabs/unthread-whatsapp-bot:patch-61be7ed📋 Build Details
🏷️ Image Tags• 🔍 Testing Your Changes
🚀 Quick Start# Pull and run the container
Docker Hub: docker pull wgtechlabs/unthread-whatsapp-bot:patch-61be7ed
docker run <your-options> <image>🔒 Security Scan Results📋 Pre-Build Security Checks✅ Source Code Scan: 0 vulnerabilities found 🐳 Container Image Vulnerabilities
📊 Detailed Security ReportsView detailed vulnerability reports in the GitHub Security tab. 🤖 Powered by Container Build Flow Action vv1.7.1 |
Replace four inline res...send('<Response></Response>') calls with a
shared sendEmptyTwiML(res, status?) helper to avoid drift and make
future response changes easier.
https://claude.ai/code/session_01KnaWLH6KQiPH5yzDK5hbX7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security fixes
Twilio webhook signature validation
Wire up the existing
validateTwilioSignature()helper as express middleware on the Twilio webhook router. Every incoming request is now verified against theX-Twilio-Signatureheader before any message processing occurs, preventing forged webhook calls.Requires a new
TWILIO_WEBHOOK_URLenv var (the full public-facing URL Twilio posts to), documented in.env.example.Also centralizes the repeated
<Response></Response>TwiML string into a sharedsendEmptyTwiML(res, status?)helper.Dependency security overrides
Added
overridesinpackage.jsonto force safe versions of vulnerable transitive dependencies (bun auditconfirmed 5 vulnerabilities resolved):axios(via twilio)path-to-regexp(via express/router)follow-redirects(via axios)GitHub Actions updates
wgtechlabs/container-build-flow-actionv1.3.1 → v1.7.1wgtechlabs/release-build-flow-actionv1.6.0 → v1.7.0https://claude.ai/code/session_01KnaWLH6KQiPH5yzDK5hbX7