From 112b8daeeb82a02ffc382affdb4de957b5f23fc6 Mon Sep 17 00:00:00 2001
From: Phillip Davis <phdavis1027@gmail.com>
Date: Wed, 25 Feb 2026 17:46:48 -0500
Subject: [PATCH] fix(webhook): reject empty body with no media

When text is empty/nil and there is no media, return 400 instead of
falling through to message construction with nil text.
---
 sgx-bwmsgsv2.rb              |  4 ++++
 test/test_webhook_handler.rb | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/sgx-bwmsgsv2.rb b/sgx-bwmsgsv2.rb
index 584dc0b8efcd42242a766f038f5e4a2d66d12d8d..f5a586942a734952f83769f9f8c5a78f46a1a401 100755
--- a/sgx-bwmsgsv2.rb
+++ b/sgx-bwmsgsv2.rb
@@ -1046,6 +1046,10 @@ class WebhookHandler < Goliath::API
 				# TODO: handle group chat, and fix above
 				text = jparams['text']
 
+				if text.to_s.empty? && Array(jparams['media']).empty?
+					return [400, {}, "Missing params\n"]
+				end
+
 				if jparams['to'].length > 1
 					msg = Blather::Stanza::Message.new(
 						Blather::JID.new(bare_jid).domain
diff --git a/test/test_webhook_handler.rb b/test/test_webhook_handler.rb
index 7ddd3a582ca8ca61133a9444058b806b79d82f34..291e76bcd6ebe2b225a15bce4bd092313a4c46cb 100644
--- a/test/test_webhook_handler.rb
+++ b/test/test_webhook_handler.rb
@@ -375,4 +375,27 @@ class WebhookHandlerTest < Minitest::Test
 		assert_equal "Check this", text_msg.body
 	end
 	em :test_message_received_single_recipient_with_media_stanza
+
+	def test_message_received_empty_body_no_media_returns_400
+		payload = {
+			"type" => "message-received",
+			"to" => "+15550000000",
+			"message" => {
+				"id" => "bw-in-empty-001",
+				"direction" => "in",
+				"owner" => "+15550000000",
+				"from" => "+15551234567",
+				"to" => ["+15550000000"],
+				"time" => "2025-01-13T10:00:00Z",
+				"text" => ""
+			}
+		}
+
+		result = invoke_webhook(payload)
+		assert_equal [400, {}, "Missing params\n"], result
+		assert_empty written
+		entries = REDIS.stream_entries("messages").sync
+		assert_equal 0, entries.length
+	end
+	em :test_message_received_empty_body_no_media_returns_400
 end