Combodo · rquetiez · Jun 20, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025
diff --git a/datamodel.combodo-webhook-integration.xml b/datamodel.combodo-webhook-integration.xml
@@ -852,22 +852,9 @@
 			/** @var \DBObject $oTriggeringObject */
 			$oTriggeringObject = $aContextArgs['this->object()'];
 
-			// Check if callback is on the object itself
-			if(stripos($sCallbackFQCN, '$this->') !== false)
-			{
-				$sMethodName = str_ireplace('$this->', '', $sCallbackFQCN);
-				$payload = $oTriggeringObject->$sMethodName($aContextArgs, $oLog, $this);
-			}
-			// Otherwise, check if callback is callable as a static method
-			elseif(is_callable($sCallbackFQCN))
-			{
-				$payload = call_user_func($sCallbackFQCN, $oTriggeringObject, $aContextArgs, $oLog, $this);
-			}
-			// Otherwise, there is a problem
-			else
-			{
-				throw new Exception('Prepare payload callback is not callable ('.$sCallbackFQCN.')');
-			}
+			$oCallBack = new CallbackService($sCallbackFQCN);
+			$oCallBack->CheckCallbackSignature('DBObject', ['array', 'EventNotification', 'ActionWebhook']);
+			$oCallBack->Invoke($oTriggeringObject, [$aContextArgs, $oLog, $this]);
 		}
 
 		return $payload;

diff --git a/src/Core/Notification/Action/_ActionWebhook.php b/src/Core/Notification/Action/_ActionWebhook.php
@@ -6,11 +6,14 @@
 use ApplicationContext;
 use Combodo\iTop\Core\Notification\Action\Webhook\Exception\WebhookInvalidJsonValueException;
 use Combodo\iTop\Core\WebResponse;
+use Combodo\iTop\Service\CallbackService;
 use Combodo\iTop\Service\WebRequestSender;
+use DBObject;
 use EventWebhook;
 use Exception;
 use IssueLog;
 use MetaModel;
+use ReflectionException;
 use UserRights;
 use utils;
 
@@ -30,40 +33,29 @@ abstract class _ActionWebhook extends ActionNotification
 	 *
 	 * @throws \ArchivedObjectException
 	 * @throws \CoreException
+	 * @throws ReflectionException
+	 * @throws \Exception
 	 */
 	public static function ExecuteResponseHandler(WebResponse $oResponse, array $aParams)
 	{
 		// Retrieve objects from params
-		if (! array_key_exists('oTriggeringObject', $aParams) || ! array_key_exists('oActionWebhook', $aParams)) {
+		if (!array_key_exists('oTriggeringObject', $aParams) || !array_key_exists('oActionWebhook', $aParams)) {
 			IssueLog::Error('Missing parameters in response handler. Expecting at least oTriggeringObject and oActionWebhook', 'console', [
 				'oResponse' => $oResponse,
 				'aParams' => $aParams,
 			]);
 			throw new Exception('Missing parameters in response handler. See error log for details.');
 		}
-		/** @var \DBObject $oTriggeringObject */
-        $oTriggeringObject = is_object($aParams['oTriggeringObject']) ?
-                            $aParams['oTriggeringObject'] :
-                            MetaModel::GetObject($aParams['oTriggeringObject']['class'], $aParams['oTriggeringObject']['id'], true, true);
+		/** @var DBObject $oTriggeringObject */
+		$oTriggeringObject = is_object($aParams['oTriggeringObject']) ?
+			$aParams['oTriggeringObject'] :
+			MetaModel::GetObject($aParams['oTriggeringObject']['class'], $aParams['oTriggeringObject']['id'], true, true);
 		$oActionWebhook = MetaModel::GetObject($aParams['oActionWebhook']['class'], $aParams['oActionWebhook']['id'], true, true);
+        $sResponseCallback = $oActionWebhook->Get('process_response_callback');
 
-		// Check if callback is on the object itself
-		$sResponseCallback = $oActionWebhook->Get('process_response_callback');
-		if(stripos($sResponseCallback, '$this->') !== false)
-		{
-			$sMethodName = str_ireplace('$this->', '', $sResponseCallback);
-			$oTriggeringObject->$sMethodName($oResponse, $oActionWebhook);
-		}
-		// Otherwise, check if callback is callable as a static method
-		elseif(is_callable($sResponseCallback))
-		{
-			call_user_func($sResponseCallback, $oTriggeringObject, $oResponse, $oActionWebhook);
-		}
-		// Otherwise, there is a problem, we cannot call the callback
-		elseif(empty($sResponseCallback) === false)
-		{
-			throw new Exception('Process response callback is not callable ('.$sResponseCallback.')');
-		}
+        $oCallBack = new CallbackService($sResponseCallback);
+        $oCallBack->CheckCallbackSignature(get_class($oTriggeringObject), ['Combodo\iTop\Core\WebResponse', 'ActionWebhook']);
+        $oCallBack->Invoke($oTriggeringObject, [$oResponse, $oActionWebhook]);
 	}
 
 	/**

diff --git a/src/Service/CallbackService.php b/src/Service/CallbackService.php
@@ -0,0 +1,104 @@
+<?php
+
+namespace Combodo\iTop\Service;
+
+use Exception;
+use IssueLog;
+use ReflectionClass;
+use ReflectionException;
+use SecurityException;
+
+/**
+ * A service that will perform checks on the callback signature of a webhook action.
+ */
+class CallbackService
+{
+	private string $sCallBackDefinition;
+	private string $sCallBackClassName;
+	private string $sCallBackMethodName;
+	private bool $bIsStatic;
+
+	/**
+	 * @throws Exception
+	 */
+	public function __construct(string $sCallBackDefinition)
+	{
+		$this->sCallBackDefinition = $sCallBackDefinition;
+		if (stripos($sCallBackDefinition, '$this->') !== false) {
+			$this->sCallBackMethodName = str_ireplace('$this->', '', $sCallBackDefinition);
+			$this->bIsStatic = false;
+			$this->sCallBackClassName = ''; // we don't need it for non-static methods
+		} else {
+			if (!is_callable($sCallBackDefinition)) {
+				$sMessageError = "The callback '$sCallBackDefinition' is not valid.";
+				IssueLog::Error($sMessageError, 'console');
+				throw new Exception($sMessageError);
+			}
+			$iPos = strrpos($sCallBackDefinition, '::');
+			if ($iPos !== false && $iPos > 0) {
+				$this->sCallBackClassName = substr($sCallBackDefinition, 0, $iPos);
+				$this->sCallBackMethodName = substr($sCallBackDefinition, $iPos + 2);
+				$this->bIsStatic = true;
+			} else {
+				$sMessageError = "The callback '$sCallBackDefinition' is not a valid static method.";
+				IssueLog::Error($sMessageError, 'console');
+				throw new Exception($sMessageError);
+			}
+		}
+	}
+
+	public function IsStatic(): bool
+	{
+		return $this->bIsStatic;
+	}
+	/**
+	 * @throws ReflectionException
+	 * @throws SecurityException
+	 */
+	public function CheckCallbackSignature(string $sTriggeringObjectType, array $aParamsType): void
+	{
+		$iParamCount = 0;
+		if ($this->bIsStatic) { // If the callback is static, we expect the first parameter to be the triggering object type
+			array_unshift($aParamsType, $sTriggeringObjectType);
+		} else {
+			$this->sCallBackClassName = $sTriggeringObjectType;
+		}
+		$oReflector = new ReflectionClass($this->sCallBackClassName);
+		$aCallbackParameters = $oReflector->getMethod($this->sCallBackMethodName)->getParameters();
+		$iRequiredNumberOfParams = count($aParamsType);
+		if (count($aCallbackParameters) !== $iRequiredNumberOfParams) {
+			$sErrorMessage = "The callback method '$this->sCallBackMethodName' of class '$this->sCallBackClassName' must have exactly $iRequiredNumberOfParams parameters.";
+			IssueLog::Error($sErrorMessage);
+			throw new SecurityException($sErrorMessage);
+		}
+		foreach ($aCallbackParameters as $oParam) {
+			if ($oParam->getType() === null) {
+				$sErrorMessage = "The callback method '$this->sCallBackMethodName' of class '$this->sCallBackClassName' must have type-hinted parameters, but parameter {$oParam->getName()} is not type-hinted.";
+				IssueLog::Error($sErrorMessage);
+				throw new SecurityException($sErrorMessage);
+			}
+			if ($oParam->getType()->getName() !== $aParamsType[$iParamCount]) {
+				$sErrorMessage = "The callback method '$this->sCallBackMethodName' of class '$this->sCallBackClassName' must have a first parameter of type '$aParamsType[$iParamCount]', but it has {$oParam->getType()->getName()} instead.";
+				IssueLog::Error($sErrorMessage);
+				throw new SecurityException($sErrorMessage);
+			}
+			$iParamCount++;
+		}
+	}
+
+	/**
+	 * @param $oTriggeringObject
+	 * @param array $aParams
+	 *
+	 * @return mixed
+	 */
+	public function Invoke($oTriggeringObject, array $aParams): mixed
+	{
+		if ($this->bIsStatic) {
+			return call_user_func_array([$this->sCallBackClassName, $this->sCallBackMethodName], array_merge([$oTriggeringObject], $aParams));
+
+		} else {
+			return call_user_func_array([$oTriggeringObject, $this->sCallBackMethodName], $aParams);
+		}
+	}
+}
diff --git a/tests/php-unit-tests/_ActionWebhookTest.php b/tests/php-unit-tests/_ActionWebhookTest.php
@@ -8,15 +8,20 @@
 
 use Combodo\iTop\Core\Notification\Action\_ActionWebhook;
 use Combodo\iTop\Core\Notification\Action\Webhook\Exception\WebhookInvalidJsonValueException;
+use Combodo\iTop\Core\WebResponse;
+use ActionWebhook;
+use Combodo\iTop\Service\CallbackService;
 use Combodo\iTop\Test\UnitTest\ItopTestCase;
+use DBObject;
+use Exception;
+use ReflectionException;
 
-class _ActionWebhookTest extends ItopTestCase {
-	protected function setUp(): void {
+class _ActionWebhookTest extends ItopTestCase
+{
+	protected function setUp(): void
+	{
 		parent::setUp();
-
-		// no datamodel loaded so we need to include module file manually
-		$this->RequireOnceItopFile('env-production/combodo-webhook-integration/src/Core/Notification/Action/_ActionWebhook.php');
-		$this->RequireOnceItopFile('env-production/combodo-webhook-integration/src/Core/Notification/Action/Webhook/Exception/WebhookInvalidJsonValueException.php');
+		$this->RequireOnceItopFile('env-production/combodo-webhook-integration/vendor/autoload.php');
 	}
 
 	/**
@@ -58,4 +63,172 @@ public function IsJsonValidProvider() {
 			'invalid array' => ['{foo:bar}', true],
 		];
 	}
+
+	/**
+	 * @return void
+	 * @dataProvider CheckCallbackSignatureTestProvider
+	 * @throws ReflectionException
+	 * @throws Exception
+	 */
+	public function testCheckCallbackSignature(string $sResponseCallback, $bExpectedException, $sErrorMessage)
+	{
+		if ($bExpectedException) {
+			$this->expectException(\SecurityException::class);
+			$this->expectExceptionMessage($sErrorMessage);
+		} else {
+			$this->expectNotToPerformAssertions();
+		}
+		$oCallBackService = new CallbackService($sResponseCallback);
+		if ($oCallBackService->IsStatic()) {
+			$oCallBackService->CheckCallbackSignature(DBObject::class, ['Combodo\iTop\Core\WebResponse', 'ActionWebhook']);
+		} else {
+			$oCallBackService->CheckCallbackSignature($this::class, ['Combodo\iTop\Core\WebResponse', 'ActionWebhook']);
+		}
+	}
+
+	public function CheckCallbackSignatureTestProvider(): array
+	{
+		return [
+			'Check callback signature with no parameters'                              => [
+				'sResponseCallback' => _ActionWebhookTest::class.'::CallBackWebhookNoParams',
+				'expectedException' => true,
+				'sErrorMessage'     => 'The callback method \'CallBackWebhookNoParams\' of class \'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest\' must have exactly 3 parameters.',
+			],
+			'Check callback signature with no parameters on object'                    => [
+				'sResponseCallback' => '$this->CallBackWebhookNoParamsOnObject',
+				'expectedException' => true,
+				'sErrorMessage'     => 'The callback method \'CallBackWebhookNoParamsOnObject\' of class \'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest\' must have exactly 2 parameters.',
+			],
+			'Check callback signature with one parameter'                              => [
+				'sResponseCallback' => _ActionWebhookTest::class.'::CallBackWebhookOneParam',
+				'expectedException' => true,
+				'sErrorMessage'     => 'The callback method \'CallBackWebhookOneParam\' of class \'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest\' must have exactly 3 parameters.',
+			],
+			'Check callback signature with one parameter on object'                    => [
+				'sResponseCallback' => '$this->CallBackWebhookOneParamOnObject',
+				'expectedException' => true,
+				'sErrorMessage'     => 'The callback method \'CallBackWebhookOneParamOnObject\' of class \'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest\' must have exactly 2 parameters.',
+			],
+			'Check callback signature with no type'                                    => [
+				'sResponseCallback' => _ActionWebhookTest::class.'::CallBackWebhookThreeUntypedParams',
+				'expectedException' => true,
+				'sErrorMessage'     => "The callback method 'CallBackWebhookThreeUntypedParams' of class 'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest' must have type-hinted parameters, but parameter oDBObject is not type-hinted.",
+			],
+			'Check callback signature with no type on object'                          => [
+				'sResponseCallback' => '$this->CallBackWebhookTwoUntypedParamsOnObject',
+				'expectedException' => true,
+				'sErrorMessage'     => "The callback method 'CallBackWebhookTwoUntypedParamsOnObject' of class 'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest' must have type-hinted parameters, but parameter oWebResponse is not type-hinted.",
+			],
+			'Check callback signature with wrong type'                                 => [
+				'sResponseCallback' => _ActionWebhookTest::class.'::CallBackWebhookThreeParamsWithWrongType',
+				'expectedException' => true,
+				'sErrorMessage'     => "The callback method 'CallBackWebhookThreeParamsWithWrongType' of class 'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest' must have a first parameter of type 'DBObject', but it has int instead.",
+			],
+			'Check callback signature with wrong type on object'                       => [
+				'sResponseCallback' => '$this->CallBackWebhookTwoParamsWithWrongTypeOnObject',
+				'expectedException' => true,
+				'sErrorMessage'     => "The callback method 'CallBackWebhookTwoParamsWithWrongTypeOnObject' of class 'Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest' must have a first parameter of type 'Combodo\iTop\Core\WebResponse', but it has int instead.",
+			],
+			'Check callback signature with correct type but incorrect order'           => [
+				'sResponseCallback' => _ActionWebhookTest::class.'::CallBackWebhookThreeParamsCorrectButWrongOrder',
+				'expectedException' => true,
+				'sErrorMessage'     => "Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest' must have a first parameter of type 'DBObject', but it has Combodo\iTop\Core\WebResponse instead.",
+			],
+			'Check callback signature with correct type but incorrect order on object' => [
+				'sResponseCallback' => '$this->CallBackWebhookTwoParamsCorrectButWrongOrderOnObject',
+				'expectedException' => true,
+				'sErrorMessage'     => "Combodo\iTop\Test\UnitTest\Core\_ActionWebhookTest' must have a first parameter of type 'Combodo\iTop\Core\WebResponse', but it has ActionWebhook instead.",
+			],
+			'Check callback signature with correct type'                               => [
+				'sResponseCallback' => _ActionWebhookTest::class.'::CallBackWebhookThreeParamsCorrect',
+				'expectedException' => false,
+				'sErrorMessage'     => '',
+			],
+			'Check callback signature with correct type on object'                     => [
+				'sResponseCallback' => '$this->CallBackWebhookTwoParamsCorrectOnObject',
+				'expectedException' => false,
+				'sErrorMessage'     => '',
+			],
+			'Check callback signature with correct type and namespace'                 => [
+				'sResponseCallback' => _ActionWebhookTest::class.'::CallBackWebhookThreeParamsCorrectWithNamespace',
+				'expectedException' => false,
+				'sErrorMessage'     => '',
+			],
+			'Check callback signature with correct type and namespace on object'       => [
+				'sResponseCallback' => '$this->CallBackWebhookTwoParamsCorrectWithNamespaceOnObject',
+				'expectedException' => false,
+				'sErrorMessage'     => '',
+			],
+		];
+	}
+
+	public static function CallBackWebhookNoParams()
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	public static function CallBackWebhookOneParam(int $i)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	public static function CallBackWebhookThreeUntypedParams($oDBObject, $oWebResponse, $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	public static function CallBackWebhookThreeParamsWithWrongType(int $oDBObject, $oWebResponse, $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	public static function CallBackWebhookThreeParamsCorrectButWrongOrder(WebResponse $oWebResponse, DBObject $oDBObject, ActionWebhook $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	public static function CallBackWebhookThreeParamsCorrect(DBObject $oDBObject, WebResponse $oWebResponse, ActionWebhook $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	public static function CallBackWebhookThreeParamsCorrectWithNamespace(\DBObject $oDBObject, \Combodo\iTop\Core\WebResponse $oWebResponse, \ActionWebhook $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	private function CallBackWebhookNoParamsOnObject()
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	private function CallBackWebhookOneParamOnObject(int $i)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	private function CallBackWebhookTwoUntypedParamsOnObject($oWebResponse, $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	private function CallBackWebhookTwoParamsWithWrongTypeOnObject(int $oWebResponse, $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	private function CallBackWebhookTwoParamsCorrectButWrongOrderOnObject(ActionWebhook $oActionWebhook, WebResponse $oWebResponse)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	private function CallBackWebhookTwoParamsCorrectOnObject( WebResponse $oWebResponse, ActionWebhook $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
+
+	private function CallBackWebhookTwoParamsCorrectWithNamespaceOnObject(\Combodo\iTop\Core\WebResponse $oWebResponse, \ActionWebhook $oActionWebhook)
+	{
+		// This method is intentionally left empty to test the callback signature
+	}
 }