feat: Prevent webhook url takeover (#14783)

packages/cli/src/server.ts

@@ -69,6 +69,7 @@ import '@/evaluation.ee/test-definitions.controller.ee';
 import '@/evaluation.ee/test-runs.controller.ee';
 import '@/workflows/workflow-history.ee/workflow-history.controller.ee';
 import '@/workflows/workflows.controller';
+import '@/webhooks/webhooks.controller';
 
 @Service()
 export class Server extends AbstractServer {

packages/cli/src/webhooks/webhook.service.ts

@@ -19,7 +19,7 @@ import { WebhookRepository } from '@/databases/repositories/webhook.repository';
 import { NodeTypes } from '@/node-types';
 import { CacheService } from '@/services/cache/cache.service';
 
-type Method = NonNullable<IHttpRequestMethods>;
+import type { Method } from './webhook.types';
 
 @Service()
 export class WebhookService {

packages/cli/src/webhooks/webhook.types.ts

@@ -35,3 +35,5 @@ export interface IWebhookResponseCallbackData {
 	noWebhookResponse?: boolean;
 	responseCode?: number;
 }
+
+export type Method = NonNullable<IHttpRequestMethods>;

packages/cli/src/webhooks/webhooks.controller.ts

@@ -0,0 +1,23 @@
+import { Post, RestController } from '@n8n/decorators';
+import { Request } from 'express';
+import get from 'lodash/get';
+
+import { WebhookService } from './webhook.service';
+import type { Method } from './webhook.types';
+
+@RestController('/webhooks')
+export class WebhooksController {
+	constructor(private readonly webhookService: WebhookService) {}
+
+	@Post('/find')
+	async findWebhook(req: Request) {
+		const body = get(req, 'body', {}) as { path: string; method: Method };
+
+		try {
+			const webhook = await this.webhookService.findWebhook(body.method, body.path);
+			return webhook;
+		} catch (error) {
+			return null;
+		}
+	}
+}