Merge pull request #135 from leanix/feature/CID-4118/Validate-webhook-signature-before-removing-it

CID-4118: Validate webhook signature before processing

Author: mohamedlajmileanix

src/main/kotlin/net/leanix/githubagent/services/GitHubWebhookService.kt

@@ -56,6 +56,10 @@ class GitHubWebhookService(
                 throw WebhookSecretNotSetException()
             }
             if (gitHubEnterpriseProperties.webhookSecret.isNotBlank() && signature256 != null) {
+                if (!signature256.startsWith("sha256=")) {
+                    logger.error("Invalid signature format, expected 'sha256=' prefix")
+                    throw InvalidEventSignatureException()
+                }
                 val hashedSecret = hmacSHA256(gitHubEnterpriseProperties.webhookSecret, payload)
                 val isEqual = timingSafeEqual(signature256.removePrefix("sha256="), hashedSecret)
                 if (!isEqual) throw InvalidEventSignatureException()

src/test/kotlin/net/leanix/githubagent/services/GitHubWebhookServiceTest.kt

@@ -89,4 +89,14 @@ class GitHubWebhookServiceTest {
 
         verify(exactly = 0) { webhookEventService.consumeWebhookEvent(any(), any()) }
     }
+
+    @Test
+    fun `should throw InvalidEventSignatureException when signature does not start with sha256=`() {
+        every { gitHubEnterpriseProperties.baseUrl } returns "known.host"
+        every { gitHubEnterpriseProperties.webhookSecret } returns "secret"
+
+        assertThrows<InvalidEventSignatureException> {
+            gitHubWebhookService.handleWebhookEvent("PUSH", "known.host", "invalid_signature", "{}")
+        }
+    }
 }