Do validate the SHA-256 signature

dscho · dscho · commit 568a2c78b102 · 2023-08-16T23:31:12.000+02:00
Not that SHA-1 is _practically_ broken yet... but still...

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/GitGitGadget/index.js b/GitGitGadget/index.js
@@ -19,16 +19,16 @@ const validateGitHubWebHook = (context) => {
     if (context.req.headers['content-type'] !== 'application/json') {
         throw new Error('Unexpected content type: ' + context.req.headers['content-type']);
     }
-    const signature = context.req.headers['x-hub-signature'];
+    const signature = context.req.headers['x-hub-signature-256'];
     if (!signature) {
         throw new Error('Missing X-Hub-Signature');
     }
-    const sha1 = signature.match(/^sha1=(.*)/);
-    if (!sha1) {
+    const sha256 = signature.match(/^sha256=(.*)/);
+    if (!sha256) {
         throw new Error('Unexpected X-Hub-Signature format: ' + signature);
     }
-    const computed = crypto.createHmac('sha1', secret).update(context.req.rawBody).digest('hex');
-    if (sha1[1] !== computed) {
+    const computed = crypto.createHmac('sha256', secret).update(context.req.rawBody).digest('hex');
+    if (sha256[1] !== computed) {
         throw new Error('Incorrect X-Hub-Signature');
     }
 }
diff --git a/__tests__/index.test.js b/__tests__/index.test.js
@@ -38,10 +38,10 @@ test('reject requests other than webhook payloads', async () => {
     context.req.headers['content-type'] = 'application/json'
     await expectInvalidWebhook('Missing X-Hub-Signature')
 
-    context.req.headers['x-hub-signature'] = 'invalid'
+    context.req.headers['x-hub-signature-256'] = 'invalid'
     await expectInvalidWebhook('Unexpected X-Hub-Signature format: invalid')
 
-    context.req.headers['x-hub-signature'] = 'sha1=incorrect'
+    context.req.headers['x-hub-signature-256'] = 'sha256=incorrect'
     context.req.rawBody = '# empty'
     await expectInvalidWebhook('Incorrect X-Hub-Signature')
 })

Original file line number	Diff line number	Diff line change
`@@ -19,16 +19,16 @@ const validateGitHubWebHook = (context) => {`
`19`	`19`	`if (context.req.headers['content-type'] !== 'application/json') {`
`20`	`20`	`throw new Error('Unexpected content type: ' + context.req.headers['content-type']);`
`21`	`21`	`}`
`22`		`- const signature = context.req.headers['x-hub-signature'];`
	`22`	`+ const signature = context.req.headers['x-hub-signature-256'];`
`23`	`23`	`if (!signature) {`
`24`	`24`	`throw new Error('Missing X-Hub-Signature');`
`25`	`25`	`}`
`26`		`- const sha1 = signature.match(/^sha1=(.*)/);`
`27`		`- if (!sha1) {`
	`26`	`+ const sha256 = signature.match(/^sha256=(.*)/);`
	`27`	`+ if (!sha256) {`
`28`	`28`	`throw new Error('Unexpected X-Hub-Signature format: ' + signature);`
`29`	`29`	`}`
`30`		`- const computed = crypto.createHmac('sha1', secret).update(context.req.rawBody).digest('hex');`
`31`		`- if (sha1[1] !== computed) {`
	`30`	`+ const computed = crypto.createHmac('sha256', secret).update(context.req.rawBody).digest('hex');`
	`31`	`+ if (sha256[1] !== computed) {`
`32`	`32`	`throw new Error('Incorrect X-Hub-Signature');`
`33`	`33`	`}`
`34`	`34`	`}`