From 5554ed14b9855bf8e52b614f5c2494cb668df45f Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Sat, 18 Nov 2023 15:03:26 +0000 Subject: [PATCH] Add length check to github signature Signed-off-by: AdamKorcz --- github/github.go | 4 ++++ github/github_test.go | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/github/github.go b/github/github.go index 11b5351..a382049 100644 --- a/github/github.go +++ b/github/github.go @@ -20,6 +20,7 @@ var ( ErrEventNotFound = errors.New("event not defined to be parsed") ErrParsingPayload = errors.New("error parsing payload") ErrHMACVerificationFailed = errors.New("HMAC verification failed") + ErrWrongHubSignatureHeader = errors.New("Invalid Github signature") ) // Event defines a GitHub hook event type @@ -163,6 +164,9 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error) if len(signature) == 0 { return nil, ErrMissingHubSignatureHeader } + if len(signature) < 6 { + return nil, ErrWrongHubSignatureHeader + } mac := hmac.New(sha1.New, []byte(hook.secret)) _, _ = mac.Write(payload) expectedMAC := hex.EncodeToString(mac.Sum(nil)) diff --git a/github/github_test.go b/github/github_test.go index 15d49f2..1a3ab92 100644 --- a/github/github_test.go +++ b/github/github_test.go @@ -58,6 +58,15 @@ func TestBadRequests(t *testing.T) { payload io.Reader headers http.Header }{ + { + name: "ShortSignature", + event: CreateEvent, + payload: bytes.NewBuffer([]byte("{12345}")), + headers: http.Header{ + "X-Github-Event": []string{"commit_comment"}, + "X-Hub-Signature": []string{"sha1"}, + }, + }, { name: "BadNoEventHeader", event: CreateEvent,