Skip to content

[WEB-8103] fix: stop leaking webhook HMAC secret_key on reads (GHSA-83rj)#9382

Open
mguptahub wants to merge 1 commit into
previewfrom
web-8103/webhook-secret-key-scope
Open

[WEB-8103] fix: stop leaking webhook HMAC secret_key on reads (GHSA-83rj)#9382
mguptahub wants to merge 1 commit into
previewfrom
web-8103/webhook-secret-key-scope

Conversation

@mguptahub

@mguptahub mguptahub commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Fixes GHSA-83rj-4282-x39v (MED, admin-only).

Problem

WebhookEndpoint list/retrieve/patch pass a fields=(...) allowlist that deliberately excludes secret_key, but DynamicBaseSerializer.__init__ discards the caller allowlist (fields = self.expand). Combined with WebhookSerializer using fields="__all__" and secret_key only in read_only_fields (read-only fields are still serialized), the HMAC signing secret_key was returned on every webhook read. All handlers are @allow_permission([ADMIN], level="WORKSPACE"), so exposure is workspace-admin-only.

Fix

The advisory suggests secret_key = serializers.CharField(write_only=True), but that would (a) let a client inject their own secret on create/patch (a downgrade — the secret is server-generated via default=generate_token) and (b) break the intended one-time reveal. Instead:

  • WebhookSerializer.to_representation drops secret_key unless a show_secret_key context flag is set — secure by default. secret_key stays server-generated and non-writable.
  • POST create and WebhookSecretRegenerateEndpoint pass show_secret_key=True, so the secret is still returned once for the caller to configure their receiver.
  • list / retrieve / patch no longer emit it.

WebhookSerializer is only used in app/views/webhook/base.py (no external API / EE consumer), so the blast radius is contained.

Tests

tests/contract/app/test_webhook_secret_key_scope_app.py — 6 tests: list/retrieve/patch do not leak, create + regenerate still reveal, and a serializer-level check of both branches of the flag. Fail-before verified (the four no-leak tests return secret_key before the fix). ruff + manage.py check green.

Follow-up

The root DynamicBaseSerializer.__init__ bug (silently discarding the fields= allowlist) also affects other serializers (workspace/project member over-exposure) — tracked as a separate audit.

Summary by CodeRabbit

  • Bug Fixes
    • Improved webhook responses to prevent secret values from being exposed unless explicitly required.
    • Regenerating a webhook secret now returns the updated secret in the response.
    • Creating a webhook now includes the secret details needed for setup, while list, detail, and update responses keep it hidden.

…3rj)

WebhookEndpoint list/retrieve/patch pass a fields= allowlist that excludes
secret_key, but DynamicBaseSerializer.__init__ discards the caller
allowlist (fields = self.expand). With WebhookSerializer using
fields="__all__" and secret_key only in read_only_fields (read-only is
still serialized), the HMAC signing secret leaked on every webhook read
(GHSA-83rj-4282-x39v; admin-only).

Rather than secret_key = CharField(write_only=True) — which would let a
client inject their own secret on create/patch and break the intended
one-time reveal — hide it by default and reveal only where intended:

- WebhookSerializer.to_representation drops secret_key unless the
  show_secret_key context flag is set (secure by default). secret_key
  stays server-generated (default=generate_token) and non-writable.
- POST create and WebhookSecretRegenerateEndpoint pass show_secret_key so
  the secret is still returned once for the caller to configure their
  receiver; list/retrieve/patch no longer emit it.

Add contract regression tests (fail-before verified). Follow-up: the
DynamicBaseSerializer.__init__ allowlist bug affects other serializers —
tracked separately.

Co-authored-by: Plane AI <noreply@plane.so>
Copilot AI review requested due to automatic review settings July 9, 2026 10:45
@makeplane

makeplane Bot commented Jul 9, 2026

Copy link
Copy Markdown

Linked to Plane Work Item(s)

This comment was auto-generated by Plane

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8b56207b-8b35-411a-a820-b64893493cde

📥 Commits

Reviewing files that changed from the base of the PR and between 4fc79a2 and 9783bbe.

📒 Files selected for processing (3)
  • apps/api/plane/app/serializers/webhook.py
  • apps/api/plane/app/views/webhook/base.py
  • apps/api/plane/tests/contract/app/test_webhook_secret_key_scope_app.py

📝 Walkthrough

Walkthrough

WebhookSerializer now overrides to_representation to remove secret_key from output unless the serializer context sets show_secret_key. WebhookEndpoint and WebhookSecretRegenerateEndpoint pass this context flag on create and regenerate responses. A new regression test module validates the exposure rules across endpoints and serializer directly.

Changes

Webhook secret_key scoping

Layer / File(s) Summary
Serializer secret_key gating
apps/api/plane/app/serializers/webhook.py
WebhookSerializer.to_representation removes secret_key from serialized output unless context["show_secret_key"] is truthy.
Endpoint context wiring
apps/api/plane/app/views/webhook/base.py
WebhookEndpoint.post and WebhookSecretRegenerateEndpoint.post instantiate WebhookSerializer with context={"show_secret_key": True} so create and regenerate responses include the secret key.
Regression tests for secret_key scope
apps/api/plane/tests/contract/app/test_webhook_secret_key_scope_app.py
New test module with helpers verifies list, retrieve, and patch responses omit secret_key, regenerate and create responses include it, and serializer behavior matches context settings directly.

Estimated code review effort: 2 (Simple) | ~12 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant WebhookEndpoint
  participant WebhookSerializer
  Client->>WebhookEndpoint: POST create/regenerate webhook
  WebhookEndpoint->>WebhookSerializer: instantiate with context show_secret_key True
  WebhookSerializer->>WebhookSerializer: to_representation checks context
  WebhookSerializer-->>WebhookEndpoint: data including secret_key
  WebhookEndpoint-->>Client: response with secret_key
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately highlights the webhook secret_key leak fix.
Description check ✅ Passed The description is detailed and covers the problem, fix, tests, and follow-up, though it doesn't use the template's exact section headings.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch web-8103/webhook-secret-key-scope

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security issue where webhook HMAC secret_key was being serialized and returned on webhook list/retrieve/patch responses due to a serializer field-allowlist being silently dropped. The change makes secret_key hidden by default in WebhookSerializer and only revealed when explicitly opted-in via serializer context, preserving the intended one-time reveal behavior on create/regenerate.

Changes:

  • Hide secret_key by default in WebhookSerializer.to_representation, only returning it when context["show_secret_key"] is true.
  • Opt-in to secret reveal for webhook creation and secret regeneration endpoints via show_secret_key=True.
  • Add contract regression tests ensuring list/retrieve/patch never leak secret_key, while create/regenerate still reveal it.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
apps/api/plane/app/serializers/webhook.py Filters secret_key out of serialized output by default; supports explicit reveal via serializer context flag.
apps/api/plane/app/views/webhook/base.py Passes show_secret_key=True only on create and secret regeneration responses.
apps/api/plane/tests/contract/app/test_webhook_secret_key_scope_app.py Adds regression tests covering both non-leak and reveal-once cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants