#21288: Security/Voice: reject malformed Host headers in webhook+WS server
channel: voice-call
size: M
Cluster:
Security Enhancements and Fixes
## Summary
- harden `VoiceCallWebhookServer` URL parsing for both HTTP webhooks and WebSocket upgrades
- reject malformed explicit `Host` headers with `400` instead of allowing uncaught URL parse exceptions
- add regression coverage proving malformed upgrade requests do not terminate the server
## Security impact
Malformed `Host` headers on upgrade/webhook paths could trigger an unhandled `Invalid URL` exception path, causing process instability/DoS in streaming-enabled deployments. This change fails closed and preserves service availability.
## Validation
- `pnpm vitest extensions/voice-call/src/webhook.test.ts`
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Hardens webhook server against malformed `Host` header DoS by wrapping URL parsing in `parseHttpRequestUrl`, which returns `null` on parse failures with explicit host headers and falls back to localhost when no host is provided. Both HTTP webhooks and WebSocket upgrades now fail closed with `400 Bad Request` instead of throwing unhandled exceptions.
- Added `parseHttpRequestUrl` helper with safe URL construction and fallback logic
- Updated upgrade handler (`webhook.ts:224`) to reject malformed upgrades with `400 Bad Request`
- Updated request handler (`webhook.ts:318`) to reject malformed requests with `400 Bad Request`
- Added regression test verifying server stability after malformed upgrade attempts
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The change is a focused security hardening fix that adds proper error handling for malformed Host headers. The implementation uses defensive programming (fail closed), includes comprehensive test coverage proving the server remains stable after malformed requests, and follows the existing code patterns. No breaking changes, no uncovered edge cases identified.
- No files require special attention
<sub>Last reviewed commit: 3373ab6</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#21197: Security/Voice Call: enforce exact webhook path matching
by bmendonca3 · 2026-02-19
80.7%
#21128: Security/Voice Call: require trusted proxy IPs for forwarded-header...
by bmendonca3 · 2026-02-19
80.3%
#21101: Security/Voice Call: gate skipSignatureVerification to local-dev or...
by bmendonca3 · 2026-02-19
75.7%
#7704: fix(voice-call): add authentication to WebSocket media stream endpoint
by coygeek · 2026-02-03
75.7%
#21532: Security/Voice Call: block signed webhook replay
by bmendonca3 · 2026-02-20
73.0%
#6128: Fail closed when Telnyx webhook public key is missing (voice-call p...
by yueyueL · 2026-02-01
73.0%
#21050: security(voice-call): path-based stream token for Twilio WebSocket ...
by richvincent · 2026-02-19
72.8%
#21326: Security/UI: harden Control UI gatewayUrl URL overrides
by bmendonca3 · 2026-02-19
72.8%
#19110: fix(voice-call): handle EADDRINUSE crash on webhook server start
by Clawborn · 2026-02-17
72.7%
#14197: fix(security): harden browser API auth, token comparisons, and hook...
by leecarollyn-gif · 2026-02-11
72.0%