fixes

Author: GrantBirki

lib/hooks/core/config_validator.rb

@@ -35,6 +35,11 @@ class ValidationError < StandardError; end
           optional(:secret_env_key).filled(:string)
           optional(:header).filled(:string)
           optional(:algorithm).filled(:string)
+          optional(:timestamp_header).filled(:string)
+          optional(:timestamp_tolerance).filled(:integer, gt?: 0)
+          optional(:format).filled(:string)
+          optional(:version_prefix).filled(:string)
+          optional(:payload_template).filled(:string)
         end
 
         optional(:opts).hash

spec/acceptance/acceptance_tests.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require_relative "../spec_helper"
+FAKE_HMAC_SECRET = "octoawesome-secret"
+FAKE_ALT_HMAC_SECRET = "octoawesome-2-secret"
 
 require "rspec"
 require "net/http"
@@ -90,6 +91,17 @@
         expect(response.body).to include("request validation failed")
       end
 
+      it "receives a POST request but it uses the wrong algo" do
+        payload = { action: "push", repository: { name: "test-repo" } }
+        headers = {
+          "Content-Type" => "application/json",
+          "X-Hub-Signature-256" => "sha512=" + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha512"), FAKE_HMAC_SECRET, payload.to_json)
+        }
+        response = http.post("/webhooks/github", payload.to_json, headers)
+        expect(response).to be_a(Net::HTTPUnauthorized)
+        expect(response.body).to include("request validation failed")
+      end
+
       it "successfully processes a valid POST request with HMAC signature" do
         payload = { action: "push", repository: { name: "test-repo" } }
         headers = {
@@ -102,5 +114,17 @@
         expect(body["status"]).to eq("success")
       end
     end
+
+    describe "slack" do
+      it "receives a POST request but contains an invalid HMAC signature" do
+        payload = { text: "Hello, Slack!" }
+        digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), FAKE_ALT_HMAC_SECRET, payload.to_json)
+        headers = { "Content-Type" => "application/json", "Signature-256" => "sha256=#{digest}" }
+        response = http.post("/webhooks/slack", payload.to_json, headers)
+
+        expect(response).to be_a(Net::HTTPUnauthorized)
+        expect(response.body).to include("request validation failed")
+      end
+    end
   end
 end

spec/acceptance/config/endpoints/slack.yaml

@@ -0,0 +1,13 @@
+path: /slack
+handler: SlackHandler
+
+request_validator:
+  type: hmac
+  secret_env_key: ALT_WEBHOOK_SECRET
+  header: Signature-256
+  algorithm: sha256
+  format: "version=signature"  # produces "v0=abc123..."
+  timestamp_header: "X-Timestamp"
+  version_prefix: "v0"
+  payload_template: "v0:{timestamp}:{body}"
+  timestamp_tolerance: 300

spec/acceptance/docker-compose.yml

@@ -9,6 +9,7 @@ services:
     environment:
       LOG_LEVEL: DEBUG
       GITHUB_WEBHOOK_SECRET: "octoawesome-secret"
+      ALT_WEBHOOK_SECRET: "octoawesome-too-secret"
     command: ["script/server"]
     healthcheck:
       test: ["CMD", "curl", "-f", "http://0.0.0.0:8080/health"]

spec/acceptance/handlers/slack_handler.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class SlackHandler < Hooks::Handlers::Base
+  def call(payload:, headers:, config:)
+    return {
+      status: "success"
+    }
+  end
+end

spec/acceptance/handlers/team1_handler.rb

@@ -9,9 +9,6 @@ class Team1Handler < Hooks::Handlers::Base
   # @param config [Hash] Endpoint configuration
   # @return [Hash] Response data
   def call(payload:, headers:, config:)
-    # Log the webhook receipt
-    puts "Team1Handler: Received webhook for #{config.dig(:opts, :teams)&.join(', ')}"
-
     # Process the payload based on type
     if payload.is_a?(Hash)
       event_type = payload[:event_type] || "unknown"

spec/lib/hooks/plugins/request_validator/hmac_spec.rb

@@ -313,6 +313,25 @@ def valid_with(args = {})
         expect(valid_with(payload: base_payload, headers: attacker_headers, config: server_config)).to be false
       end
 
+      it "fails when server expects algorithm-prefixed but receives version-prefixed" do
+        # Server configured for algorithm-prefixed format
+        server_config = {
+          request_validator: {
+            header: "X-Signature",
+            algorithm: "sha256",
+            format: "algorithm=signature"
+          }
+        }
+        # Attacker sends version-prefixed format
+        timestamp = Time.now.to_i.to_s
+        versioned_sig = "v0=" + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), secret, "v0:#{timestamp}:#{base_payload}")
+        attacker_headers = {
+          "X-Signature" => versioned_sig,
+          "X-Timestamp" => timestamp
+        }
+        expect(valid_with(payload: base_payload, headers: attacker_headers, config: server_config)).to be false
+      end
+
       it "fails when algorithm in config differs from signature prefix" do
         # Server configured for sha512
         server_config = {
@@ -429,7 +448,7 @@ def valid_with(args = {})
         expect(valid_with(headers:, config: base_config)).to be false
       end
 
-      it "returns false when timestamp header name case differs" do
+      it "returns true when timestamp header name case differs due to normalization" do
         timestamp = Time.now.to_i.to_s
         signing_payload = "v0:#{timestamp}:#{payload}"
         signature = "v0=" + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), secret, signing_payload)

spec/spec_helper.rb

@@ -7,8 +7,10 @@
 
 TIME_MOCK = "2025-01-01T00:00:00Z"
 FAKE_HMAC_SECRET = "octoawesome-secret"
+FAKE_ALT_HMAC_SECRET = "octoawesome-2-secret"
 
 ENV["GITHUB_WEBHOOK_SECRET"] = FAKE_HMAC_SECRET
+ENV["ALT_WEBHOOK_SECRET"] = FAKE_ALT_HMAC_SECRET
 
 COV_DIR = File.expand_path("../coverage", File.dirname(__FILE__))