Fix: Replace crypto (#429)

* Fix: Replace crypto

* Remove comments

* Upgrade zeit to vercel

* Upgrade zeit to vercel

Author: npalm

modules/webhook/lambdas/webhook/package.json

@@ -11,7 +11,6 @@
     "dist": "yarn build && cd dist && zip ../webhook.zip index.js"
   },
   "devDependencies": {
-    "@octokit/webhooks": "^7.21.0",
     "@types/express": "^4.17.9",
     "@types/jest": "^26.0.19",
     "@types/node": "^14.14.16",
@@ -26,6 +25,6 @@
   },
   "dependencies": {
     "@octokit/rest": "^18.0.12",
-    "crypto": "^1.0.1"
+    "@octokit/webhooks": "^7.21.0"
   }
-}
+}

modules/webhook/lambdas/webhook/src/webhook/handler.ts

@@ -1,21 +1,17 @@
 import { IncomingHttpHeaders } from 'http';
-import crypto from 'crypto';
+import { Webhooks } from '@octokit/webhooks';
 import { sendActionRequest } from '../sqs';
 import { EventPayloads } from '@octokit/webhooks';
 import { KMS } from 'aws-sdk';
 import { decrypt } from '../kms';
 
-function signRequestBody(key: string, body: any) {
-  return `sha1=${crypto.createHmac('sha1', key).update(body, 'utf8').digest('hex')}`;
-}
-
 export const handle = async (headers: IncomingHttpHeaders, payload: any): Promise<number> => {
   // ensure header keys lower case since github headers can contain capitals.
   for (const key in headers) {
     headers[key.toLowerCase()] = headers[key];
   }
 
-  const signature = headers['x-hub-signature'];
+  const signature = headers['x-hub-signature'] as string;
   if (!signature) {
     console.error("Github event doesn't have signature. This webhook requires a secret to be configured.");
     return 500;
@@ -31,13 +27,15 @@ export const handle = async (headers: IncomingHttpHeaders, payload: any): Promis
     return 500;
   }
 
-  const calculatedSig = signRequestBody(secret, payload);
-  if (signature !== calculatedSig) {
+  const webhooks = new Webhooks({
+    secret: secret,
+  });
+  if (!webhooks.verify(payload, signature)) {
     console.error('Unable to verify signature!');
     return 401;
   }
 
-  const githubEvent = headers['x-github-event'];
+  const githubEvent = headers['x-github-event'] as string;
 
   console.debug(`Received Github event: "${githubEvent}"`);
 

modules/webhook/lambdas/webhook/yarn.lock

@@ -1411,11 +1411,6 @@ cross-spawn@^7.0.0:
     shebang-command "^2.0.0"
     which "^2.0.1"
 
-crypto@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/crypto/-/crypto-1.0.1.tgz#2af1b7cad8175d24c8a1b0778255794a21803037"
-  integrity sha512-VxBKmeNcqQdiUQUW2Tzq0t377b54N2bMtXO/qiLa+6eRRmmC4qT3D4OnTGoT/U6O9aklQ/jTwbOtRMTTY8G0Ig==
-
 cssom@^0.4.4:
   version "0.4.4"
   resolved "https://registry.yarnpkg.com/cssom/-/cssom-0.4.4.tgz#5a66cf93d2d0b661d80bf6a44fb65f5c2e4e0a10"