Fix #1021 bolt-servlet improperly returns 200 OK with empty string to invalid requests (#1022)

Author: seratch

bolt-http4k/src/test/java/test_locally/Http4kSlackAppTest.java

@@ -139,7 +139,7 @@ public void slackEvents_commandNotFound() {
 
     @Test
     public void workWithEmptyOrNullResponseBody() {
-        Response expected = Response.Companion.create(Status.OK).header("Content-Type", "plain/text").body("");
+        Response expected = Response.Companion.create(Status.OK).header("Content-Type", "text/plain").body("");
         Response response = simpleSlackApp.invoke(slackEventRequest("command=do-nothing"));
         assertThat(response, equalTo(expected));
     }

bolt-jakarta-servlet/src/main/java/com/slack/api/bolt/jakarta_servlet/SlackAppServlet.java

@@ -41,6 +41,8 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
                 resp.setContentType("application/json");
                 resp.getWriter().write("{\"error\":\"Something is wrong\"}");
             }
+        } else {
+            adapter.writeResponse(resp, Response.builder().statusCode(400).body("Invalid Request").build());
         }
     }
 }

bolt-jakarta-servlet/src/test/java/test_locally/servlet_test/InvalidRequestPatternTest.java

@@ -0,0 +1,130 @@
+package test_locally.servlet_test;
+
+import com.slack.api.app_backend.SlackSignature;
+import com.slack.api.bolt.App;
+import com.slack.api.bolt.AppConfig;
+import com.slack.api.bolt.jakarta_servlet.SlackAppServlet;
+import com.slack.api.bolt.middleware.builtin.RequestVerification;
+import jakarta.servlet.Servlet;
+import jakarta.servlet.annotation.WebServlet;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.jetty.http.HttpTester;
+import org.eclipse.jetty.servlet.ServletTester;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.util.Arrays;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+@Slf4j
+public class InvalidRequestPatternTest {
+
+    private final String secret = "foo-bar-baz";
+    private final SlackSignature.Generator generator = new SlackSignature.Generator(secret);
+    private AppConfig appConfig = AppConfig.builder().singleTeamBotToken("xoxb-").signingSecret(secret).build();
+    private App app;
+    private Servlet webApp;
+
+    @Before
+    public void setUp() {
+        // https://api.slack.com/docs/verifying-requests-from-slack
+        String signingSecret = appConfig.getSigningSecret();
+        if (signingSecret == null || signingSecret.trim().isEmpty()) {
+            // This is just a random value to avoid SlackSignature.Generator's initialization error.
+            // When this App runs through Socket Mode connections, it skips request signature verification.
+            signingSecret = "---";
+        }
+        SlackSignature.Verifier verifier = new SlackSignature.Verifier(new SlackSignature.Generator(signingSecret));
+        RequestVerification requestVerification = new RequestVerification(verifier);
+        app = new App(appConfig, Arrays.asList(
+                requestVerification
+        ));
+        webApp = new SlackWebApp(app);
+        app.start();
+    }
+
+    @After
+    public void tearDown() {
+        app.stop();
+    }
+
+    @WebServlet(urlPatterns = "/")
+    public static class SlackWebApp extends SlackAppServlet {
+        public SlackWebApp(App app) {
+            super(app);
+        }
+    }
+
+    @Test
+    public void valid() throws Exception {
+        ServletTester tester = TestUtils.getServletTester(webApp);
+        HttpTester.Request request = TestUtils.prepareRequest();
+
+        String requestBody = "{\n" +
+                "  \"token\": \"fixed-value\",\n" +
+                "  \"challenge\": \"challenge-value\",\n" +
+                "  \"type\": \"url_verification\"\n" +
+                "}";
+        request.setContent(requestBody);
+        String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, generator.generate(timestamp, requestBody));
+        request.setHeader("Content-Type", "application/json");
+
+        HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
+
+        assertThat(response.getStatus(), is(equalTo(200)));
+        assertThat(response.getContent(), is(equalTo("challenge-value")));
+        assertThat(response.get("Content-Type"), is(startsWith("text/plain;charset=ISO-8859-1")));
+    }
+
+    @Test
+    public void nonsense() throws Exception {
+        ServletTester tester = TestUtils.getServletTester(webApp);
+        HttpTester.Request request = TestUtils.prepareRequest();
+
+        String requestBody = "{\n" +
+                "  \"token\": \"fixed-value\",\n" +
+                "  \"challenge\": \"challenge-value\",\n" +
+                "  \"type\": \"nonsense\"\n" +
+                "}";
+        request.setContent(requestBody);
+        String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, generator.generate(timestamp, requestBody));
+        request.setHeader("Content-Type", "application/json");
+
+        HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
+
+        assertThat(response.getStatus(), is(equalTo(400)));
+        assertThat(response.getContent(), is(equalTo("Invalid Request")));
+        assertThat(response.get("Content-Type"), is(startsWith("text/plain;charset=ISO-8859-1")));
+    }
+
+    @Test
+    public void invalidSignature() throws Exception {
+        ServletTester tester = TestUtils.getServletTester(webApp);
+        HttpTester.Request request = TestUtils.prepareRequest();
+
+        String requestBody = "{\n" +
+                "  \"token\": \"fixed-value\",\n" +
+                "  \"challenge\": \"challenge-value\",\n" +
+                "  \"type\": \"url_verification\"\n" +
+                "}";
+        request.setContent(requestBody);
+        String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
+        SlackSignature.Generator differentGenerator = new SlackSignature.Generator("a different app's secret");
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, differentGenerator.generate(timestamp, requestBody));
+        request.setHeader("Content-Type", "application/json");
+
+        HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
+
+        assertThat(response.getStatus(), is(equalTo(401)));
+        assertThat(response.getContent(), is(equalTo("{\"error\":\"invalid request\"}")));
+        assertThat(response.get("Content-Type"), is(startsWith("application/json")));
+    }
+}

bolt-jakarta-servlet/src/test/java/test_locally/servlet_test/SlashCommandTest.java

@@ -134,7 +134,7 @@ public void echo() throws Exception {
 
         assertThat(response.getContent(), is(equalTo("")));
         assertThat(response.getStatus(), is(equalTo(200)));
-        assertThat(response.get("Content-Type"), is(startsWith("plain/text")));
+        assertThat(response.get("Content-Type"), is(startsWith("text/plain")));
         assertThat(echoCalls.get(), is(1));
 
         verify(echoSenderMock, times(1)).send(Mockito.any(SlashCommandResponse.class));

bolt-servlet/src/main/java/com/slack/api/bolt/servlet/SlackAppServlet.java

@@ -41,6 +41,8 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
                 resp.setContentType("application/json");
                 resp.getWriter().write("{\"error\":\"Something is wrong\"}");
             }
+        } else {
+            adapter.writeResponse(resp, Response.builder().statusCode(400).body("Invalid Request").build());
         }
     }
 }

bolt-servlet/src/test/java/test_locally/servlet/SlackOAuthAppServletTest.java

@@ -26,20 +26,6 @@ public void instantiation() {
         assertEquals(app, servlet.getApp());
     }
 
-    String slashCommandPayload = "token=gIkuvaNzQIHg97ATvDxqgjtO" +
-            "&team_id=T0001" +
-            "&team_domain=example" +
-            "&enterprise_id=E0001" +
-            "&enterprise_name=Globular%20Construct%20Inc" +
-            "&channel_id=C2147483705" +
-            "&channel_name=test" +
-            "&user_id=U2147483697" +
-            "&user_name=Steve" +
-            "&command=/weather" +
-            "&text=94070" +
-            "&response_url=https://hooks.slack.com/commands/1234/5678" +
-            "&trigger_id=13345224609.738474920.8088930838d88f008e0";
-
     static class SimpleServletInputStream extends ServletInputStream {
         final ByteArrayInputStream body;
 

bolt-servlet/src/test/java/test_locally/servlet_test/InvalidRequestPatternTest.java

@@ -0,0 +1,130 @@
+package test_locally.servlet_test;
+
+import com.slack.api.app_backend.SlackSignature;
+import com.slack.api.bolt.App;
+import com.slack.api.bolt.AppConfig;
+import com.slack.api.bolt.middleware.builtin.RequestVerification;
+import com.slack.api.bolt.servlet.SlackAppServlet;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.jetty.http.HttpTester;
+import org.eclipse.jetty.servlet.ServletTester;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import javax.servlet.Servlet;
+import javax.servlet.annotation.WebServlet;
+import java.util.Arrays;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+@Slf4j
+public class InvalidRequestPatternTest {
+
+    private final String secret = "foo-bar-baz";
+    private final SlackSignature.Generator generator = new SlackSignature.Generator(secret);
+    private AppConfig appConfig = AppConfig.builder().singleTeamBotToken("xoxb-").signingSecret(secret).build();
+    private App app;
+    private Servlet webApp;
+
+    @Before
+    public void setUp() {
+        // https://api.slack.com/docs/verifying-requests-from-slack
+        String signingSecret = appConfig.getSigningSecret();
+        if (signingSecret == null || signingSecret.trim().isEmpty()) {
+            // This is just a random value to avoid SlackSignature.Generator's initialization error.
+            // When this App runs through Socket Mode connections, it skips request signature verification.
+            signingSecret = "---";
+        }
+        SlackSignature.Verifier verifier = new SlackSignature.Verifier(new SlackSignature.Generator(signingSecret));
+        RequestVerification requestVerification = new RequestVerification(verifier);
+        app = new App(appConfig, Arrays.asList(
+                requestVerification
+        ));
+        webApp = new SlackWebApp(app);
+        app.start();
+    }
+
+    @After
+    public void tearDown() {
+        app.stop();
+    }
+
+    @WebServlet(urlPatterns = "/")
+    public static class SlackWebApp extends SlackAppServlet {
+        public SlackWebApp(App app) {
+            super(app);
+        }
+    }
+
+    @Test
+    public void valid() throws Exception {
+        ServletTester tester = TestUtils.getServletTester(webApp);
+        HttpTester.Request request = TestUtils.prepareRequest();
+
+        String requestBody = "{\n" +
+                "  \"token\": \"fixed-value\",\n" +
+                "  \"challenge\": \"challenge-value\",\n" +
+                "  \"type\": \"url_verification\"\n" +
+                "}";
+        request.setContent(requestBody);
+        String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, generator.generate(timestamp, requestBody));
+        request.setHeader("Content-Type", "application/json");
+
+        HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
+
+        assertThat(response.getStatus(), is(equalTo(200)));
+        assertThat(response.getContent(), is(equalTo("challenge-value")));
+        assertThat(response.get("Content-Type"), is(startsWith("text/plain; charset=ISO-8859-1")));
+    }
+
+    @Test
+    public void nonsense() throws Exception {
+        ServletTester tester = TestUtils.getServletTester(webApp);
+        HttpTester.Request request = TestUtils.prepareRequest();
+
+        String requestBody = "{\n" +
+                "  \"token\": \"fixed-value\",\n" +
+                "  \"challenge\": \"challenge-value\",\n" +
+                "  \"type\": \"nonsense\"\n" +
+                "}";
+        request.setContent(requestBody);
+        String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, generator.generate(timestamp, requestBody));
+        request.setHeader("Content-Type", "application/json");
+
+        HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
+
+        assertThat(response.getStatus(), is(equalTo(400)));
+        assertThat(response.getContent(), is(equalTo("Invalid Request")));
+        assertThat(response.get("Content-Type"), is(startsWith("text/plain; charset=ISO-8859-1")));
+    }
+
+    @Test
+    public void invalidSignature() throws Exception {
+        ServletTester tester = TestUtils.getServletTester(webApp);
+        HttpTester.Request request = TestUtils.prepareRequest();
+
+        String requestBody = "{\n" +
+                "  \"token\": \"fixed-value\",\n" +
+                "  \"challenge\": \"challenge-value\",\n" +
+                "  \"type\": \"url_verification\"\n" +
+                "}";
+        request.setContent(requestBody);
+        String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
+        SlackSignature.Generator differentGenerator = new SlackSignature.Generator("a different app's secret");
+        request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, differentGenerator.generate(timestamp, requestBody));
+        request.setHeader("Content-Type", "application/json");
+
+        HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
+
+        assertThat(response.getStatus(), is(equalTo(401)));
+        assertThat(response.getContent(), is(equalTo("{\"error\":\"invalid request\"}")));
+        assertThat(response.get("Content-Type"), is(startsWith("application/json")));
+    }
+}

bolt-servlet/src/test/java/test_locally/servlet_test/SlashCommandTest.java

@@ -134,7 +134,7 @@ public void echo() throws Exception {
 
         assertThat(response.getContent(), is(equalTo("")));
         assertThat(response.getStatus(), is(equalTo(200)));
-        assertThat(response.get("Content-Type"), is(startsWith("plain/text")));
+        assertThat(response.get("Content-Type"), is(startsWith("text/plain")));
         assertThat(echoCalls.get(), is(1));
 
         verify(echoSenderMock, times(1)).send(Mockito.any(SlashCommandResponse.class));

bolt/src/main/java/com/slack/api/bolt/response/Response.java

@@ -23,7 +23,7 @@ public class Response {
     @Builder.Default
     private Integer statusCode = 200;
     @Builder.Default
-    private String contentType = "plain/text";
+    private String contentType = "text/plain";
     @Builder.Default
     private Map<String, List<String>> headers = new HashMap<>();
     private String body;