Verify X-Hub-Signature-256

Alexendoo · Alexendoo · commit 659c4bfd9275 · 2025-05-09T13:30:38.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -46,9 +46,8 @@ cron = { version = "0.15.0" }
 bytes = "1.1.0"
 structopt = "0.3.26"
 hmac = "0.12.1"
-sha1 = "0.10.6"
-digest = "0.10.7"
 subtle = "2.6.1"
+sha2 = "0.10.9"
 
 [dependencies.serde]
 version = "1"
diff --git a/src/main.rs b/src/main.rs
@@ -190,20 +190,22 @@ async fn serve_req(
             .unwrap());
     };
     log::debug!("event={}", event);
-    let signature = if let Some(sig) = req.headers.get("X-Hub-Signature") {
+    let signature = if let Some(sig) = req.headers.get("X-Hub-Signature-256") {
         match sig.to_str().ok() {
             Some(v) => v,
             None => {
                 return Ok(Response::builder()
                     .status(StatusCode::BAD_REQUEST)
-                    .body(Body::from("X-Hub-Signature header must be UTF-8 encoded"))
+                    .body(Body::from(
+                        "X-Hub-Signature-256 header must be UTF-8 encoded",
+                    ))
                     .unwrap());
             }
         }
     } else {
         return Ok(Response::builder()
             .status(StatusCode::BAD_REQUEST)
-            .body(Body::from("X-Hub-Signature header must be set"))
+            .body(Body::from("X-Hub-Signature-256 header must be set"))
             .unwrap());
     };
     log::debug!("signature={}", signature);
diff --git a/src/payload.rs b/src/payload.rs
@@ -1,5 +1,5 @@
 use hmac::{Hmac, Mac};
-use sha1::Sha1;
+use sha2::Sha256;
 use std::fmt;
 
 #[derive(Debug)]
@@ -14,7 +14,9 @@ impl fmt::Display for SignedPayloadError {
 impl std::error::Error for SignedPayloadError {}
 
 pub fn assert_signed(signature: &str, payload: &[u8]) -> Result<(), SignedPayloadError> {
-    let signature = signature.get("sha1=".len()..).ok_or(SignedPayloadError)?;
+    let signature = signature
+        .strip_prefix("sha256=")
+        .ok_or(SignedPayloadError)?;
     let signature = match hex::decode(&signature) {
         Ok(e) => e,
         Err(e) => {
@@ -23,7 +25,7 @@ pub fn assert_signed(signature: &str, payload: &[u8]) -> Result<(), SignedPayloa
         }
     };
 
-    let mut mac = Hmac::<Sha1>::new_from_slice(
+    let mut mac = Hmac::<Sha256>::new_from_slice(
         std::env::var("GITHUB_WEBHOOK_SECRET")
             .expect("Missing GITHUB_WEBHOOK_SECRET")
             .as_bytes(),
