Fix Insecure Webhooks in Cuba

Webhooks in Cuba are often implemented as raw POST routes with zero authentication, allowing attackers to spoof events and manipulate internal state. If you aren't verifying the HMAC signature of the payload against a shared secret, your endpoint is a public backdoor. We need to enforce cryptographic integrity using OpenSSL and constant-time comparison.

The Vulnerable Pattern

require "cuba"
require "json"
Cuba.define do
on post, “webhooks/update” do
# VULNERABILITY: No signature verification
# Anyone can POST any JSON to trigger this logic
payload = JSON.parse(req.body.read)
process_order(payload[“id”])
res.write “OK”
end
end

The Secure Implementation

The secure implementation introduces three critical defenses. First, it extracts the raw request body before parsing; signatures must be calculated on the exact byte-stream received. Second, it calculates a local HMAC-SHA256 hash using a server-side secret. Third, it utilizes Rack::Utils.secure_compare for the string comparison. This is vital because standard '==' operators return early upon finding a mismatch, creating a timing side-channel that allows an attacker to brute-force the signature byte-by-byte. By using constant-time comparison, we neutralize this vector.

require "cuba"
require "openssl"
require "rack/utils"
SECRET = ENV[‘WEBHOOK_SECRET’]
Cuba.define do
on post, “webhooks/update” do
signature = req.env[“HTTP_X_SIGNATURE”]
body = req.body.read
# Generate HMAC-SHA256 using the raw body and shared secret
expected = OpenSSL::HMAC.hexdigest("sha256", SECRET, body)

# Use Rack::Utils.secure_compare to prevent timing attacks
if signature && Rack::Utils.secure_compare(expected, signature)
  payload = JSON.parse(body)
  process_order(payload["id"])
  res.write "Verified"
else
  res.status = 403
  res.write "Unauthorized"
end
end
end