Merge pull request #136 from leanix/feature/CID-4118/Validate-webhook-signature-before-removing-it

mohamedlajmileanix · web-flow · commit c4fe312ff923 · 2025-07-31T09:35:23.000+02:00
CID-4118: Validate webhook signature
diff --git a/src/main/kotlin/net/leanix/githubagent/services/GitHubWebhookService.kt b/src/main/kotlin/net/leanix/githubagent/services/GitHubWebhookService.kt
@@ -60,6 +60,13 @@ class GitHubWebhookService(
                     logger.error("Invalid signature format, expected 'sha256=' prefix")
                     throw InvalidEventSignatureException()
                 }
+
+                val signatureWithoutPrefix = signature256.removePrefix("sha256=")
+                if (!signatureWithoutPrefix.matches(Regex("^[a-fA-F0-9]{64}$"))) {
+                    logger.error("Invalid signature format, expected a 64-character hexadecimal string after 'sha256='")
+                    throw InvalidEventSignatureException()
+                }
+
                 val hashedSecret = hmacSHA256(gitHubEnterpriseProperties.webhookSecret, payload)
                 val isEqual = timingSafeEqual(signature256.removePrefix("sha256="), hashedSecret)
                 if (!isEqual) throw InvalidEventSignatureException()
diff --git a/src/test/kotlin/net/leanix/githubagent/services/GitHubWebhookServiceTest.kt b/src/test/kotlin/net/leanix/githubagent/services/GitHubWebhookServiceTest.kt
@@ -99,4 +99,27 @@ class GitHubWebhookServiceTest {
             gitHubWebhookService.handleWebhookEvent("PUSH", "known.host", "invalid_signature", "{}")
         }
     }
+
+    @Test
+    fun `should process event with valid signature from event json`() {
+        val payload = """{
+          "action": "created",
+          "installation": {
+            "id": 30,
+            "account": {
+              "login": "test-org",
+              "id": 20
+            }
+          }
+        }"""
+        val secret = "secret"
+        val validSignature = "sha256=042fb14dec4f623e224b1b574e40ff776c341fcd883756256d786a1b95bb3aa8"
+        every { gitHubEnterpriseProperties.baseUrl } returns "known.host"
+        every { gitHubEnterpriseProperties.webhookSecret } returns secret
+        every { webhookEventService.consumeWebhookEvent(any(), any()) } returns Unit
+
+        gitHubWebhookService.handleWebhookEvent("PUSH", "known.host", validSignature, payload)
+
+        verify { webhookEventService.consumeWebhookEvent("PUSH", payload) }
+    }
 }
