refactor(security): consolidate webhook path-collision check into one helper

Extract findConflictingWebhookPathOwner to lib/webhooks/utils.server.ts as
the single source of truth for cross-tenant path-collision detection, used by
both webhook creation paths (deploy sync and the manual /api/webhooks route).

This also repairs two latent issues in the manual route's previous inline
check, which queried with limit(1) and only webhook.archivedAt:
- limit(1) inspected one arbitrary row, so a same-workflow row could mask a
  foreign collision (false negative). The shared helper scans all matching
  rows.
- It omitted isActive/workflow.archivedAt, so inactive or archived-workflow
  webhooks (which never receive deliveries) permanently blocked path reuse.
  The helper mirrors the runtime dispatcher's filter.

Same-workflow webhook reuse for upsert is now a separate, explicit lookup.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/webhooks/route.ts

@@ -27,7 +27,10 @@ import {
 } from '@/lib/webhooks/provider-subscriptions'
 import { getProviderHandler } from '@/lib/webhooks/providers'
 import { mergeNonUserFields } from '@/lib/webhooks/utils'
-import { syncWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
+import {
+  findConflictingWebhookPathOwner,
+  syncWebhooksForCredentialSet,
+} from '@/lib/webhooks/utils.server'
 import { extractCredentialSetId, isCredentialSetValue } from '@/executor/constants'
 
 const logger = createLogger('WebhooksAPI')
@@ -330,21 +333,31 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       }
     }
     if (!targetWebhookId) {
-      const existingByPath = await db
-        .select({ id: webhook.id, workflowId: webhook.workflowId })
+      const conflictingOwner = await findConflictingWebhookPathOwner({
+        path: finalPath,
+        workflowId,
+      })
+      if (conflictingOwner) {
+        logger.warn(`[${requestId}] Webhook path conflict: ${finalPath}`)
+        return NextResponse.json(
+          { error: 'Webhook path already exists.', code: 'PATH_EXISTS' },
+          { status: 409 }
+        )
+      }
+
+      const ownExisting = await db
+        .select({ id: webhook.id })
         .from(webhook)
-        .where(and(eq(webhook.path, finalPath), isNull(webhook.archivedAt)))
-        .limit(1)
-      if (existingByPath.length > 0) {
-        // If a webhook with the same path exists but belongs to a different workflow, return an error
-        if (existingByPath[0].workflowId !== workflowId) {
-          logger.warn(`[${requestId}] Webhook path conflict: ${finalPath}`)
-          return NextResponse.json(
-            { error: 'Webhook path already exists.', code: 'PATH_EXISTS' },
-            { status: 409 }
+        .where(
+          and(
+            eq(webhook.path, finalPath),
+            eq(webhook.workflowId, workflowId),
+            isNull(webhook.archivedAt)
           )
-        }
-        targetWebhookId = existingByPath[0].id
+        )
+        .limit(1)
+      if (ownExisting.length > 0) {
+        targetWebhookId = ownExisting[0].id
       }
     }
 

apps/sim/lib/webhooks/deploy.ts

@@ -1,11 +1,5 @@
 import { db } from '@sim/db'
-import {
-  account,
-  credentialSetMember,
-  webhook,
-  workflow,
-  workflowDeploymentVersion,
-} from '@sim/db/schema'
+import { account, credentialSetMember, webhook, workflowDeploymentVersion } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { generateShortId } from '@sim/utils/id'
 import { and, eq, inArray, isNotNull, isNull, or } from 'drizzle-orm'
@@ -18,7 +12,10 @@ import {
   shouldRecreateExternalWebhookSubscription,
 } from '@/lib/webhooks/provider-subscriptions'
 import { getProviderHandler } from '@/lib/webhooks/providers'
-import { syncWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
+import {
+  findConflictingWebhookPathOwner,
+  syncWebhooksForCredentialSet,
+} from '@/lib/webhooks/utils.server'
 import { buildCanonicalIndex } from '@/lib/workflows/subblocks/visibility'
 import { getBlock } from '@/blocks'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -29,37 +26,6 @@ import { SYSTEM_SUBBLOCK_IDS } from '@/triggers/constants'
 const logger = createLogger('DeployWebhookSync')
 const CREDENTIAL_SET_PREFIX = 'credentialSet:'
 
-/**
- * Returns the id of a different workflow that already owns an active webhook on
- * the given path, or `null` if the path is free or owned by this workflow.
- * Guards against cross-tenant path collisions, since paths are user-controlled
- * and only unique per deployment version. Mirrors the runtime dispatcher's
- * filter (active, non-archived webhook on a non-archived workflow) so webhooks
- * that can never receive deliveries don't permanently reserve a path.
- */
-async function findConflictingWebhookPathOwner(params: {
-  path: string
-  workflowId: string
-}): Promise<string | null> {
-  const { path, workflowId } = params
-
-  const existing = await db
-    .select({ workflowId: webhook.workflowId })
-    .from(webhook)
-    .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
-    .where(
-      and(
-        eq(webhook.path, path),
-        eq(webhook.isActive, true),
-        isNull(webhook.archivedAt),
-        isNull(workflow.archivedAt)
-      )
-    )
-
-  const conflict = existing.find((row) => row.workflowId !== workflowId)
-  return conflict ? conflict.workflowId : null
-}
-
 interface TriggerSaveError {
   message: string
   status: number

apps/sim/lib/webhooks/utils.server.ts

@@ -10,6 +10,43 @@ import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
 import { getCredentialsForCredentialSet } from '@/app/api/auth/oauth/utils'
 import { isPollingWebhookProvider } from '@/triggers/constants'
 
+/**
+ * Returns the id of a different workflow that already owns an active webhook on
+ * the given path, or `null` if the path is free or owned by `workflowId`.
+ *
+ * Webhook paths are user-controlled and the database only enforces uniqueness
+ * per deployment version, so this is the single guard against cross-tenant path
+ * collisions for every webhook creation path. The filter mirrors the runtime
+ * dispatcher (`findAllWebhooksForPath`): an active, non-archived webhook on a
+ * non-archived workflow — inactive or archived webhooks never receive
+ * deliveries, so they must not reserve a path. All matching rows are scanned so
+ * a same-workflow row can never mask a foreign collision.
+ */
+export async function findConflictingWebhookPathOwner(params: {
+  path: string
+  workflowId: string
+  tx?: DbOrTx
+}): Promise<string | null> {
+  const { path, workflowId, tx } = params
+  const dbCtx = tx ?? db
+
+  const existing = await dbCtx
+    .select({ workflowId: webhook.workflowId })
+    .from(webhook)
+    .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
+    .where(
+      and(
+        eq(webhook.path, path),
+        eq(webhook.isActive, true),
+        isNull(webhook.archivedAt),
+        isNull(workflow.archivedAt)
+      )
+    )
+
+  const conflict = existing.find((row) => row.workflowId !== workflowId)
+  return conflict ? conflict.workflowId : null
+}
+
 /**
  * Result of syncing webhooks for a credential set
  */