← Back to PRs

#18777: fix: LINE webhook acknowledges events before processing and drops failur

by coygeek open 2026-02-17 02:03 View on GitHub →
stale size: S trusted-contributor
## Fix Summary The LINE webhook handlers return HTTP 200 before event processing finishes, then catch processing errors and only log them. This causes irreversible message loss because LINE sees success and does not retry failed deliveries. The pattern exists in two independent code paths. ## Issue Linkage Fixes #18775 ## Security Snapshot - CVSS v3.1: 8.2 (High) - CVSS v4.0: 8.8 (High) ## Implementation Details ### Files Changed - `src/line/webhook-node.test.ts` (+22/-1) - `src/line/webhook-node.ts` (+6/-9) - `src/line/webhook.test.ts` (+29/-0) - `src/line/webhook.ts` (+4/-7) ### Technical Analysis Root cause: The LINE webhook handlers return HTTP 200 before event processing finishes, then catch processing errors and only log them. The vulnerable behavior originates in `src/line/webhook.ts:74-83` and `src/line/webhook-node.ts:96-107`. When the documented execution path is triggered, security controls fail to enforce the expected boundary. Fix approach: enforce secure defaults on this path, validate/guard untrusted inputs at the boundary, and add regression tests that cover the failing scenario. ## Validation Evidence - Command: `pnpm build && pnpm check && pnpm test` - Status: passed ## Risk and Compatibility non-breaking; no known regression impact ## AI-Assisted Disclosure - AI-assisted: yes - Model: GPT-5.3-Codex

Most Similar PRs