Skip to content

fix: address webhook review followups#3

Merged
BunsDev merged 1 commit into
mainfrom
fix/copilot-review-followups
Jul 6, 2026
Merged

fix: address webhook review followups#3
BunsDev merged 1 commit into
mainfrom
fix/copilot-review-followups

Conversation

@BunsDev

@BunsDev BunsDev commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

  • Cap webhook request bodies at 10 MB and return 413 Payload Too Large before signature verification.
  • Read the body from WSGI input when CONTENT_LENGTH is missing or unparsable.
  • Tolerate surrounding whitespace on X-Hub-Signature-256 and cover the unconfigured-secret branch.

Why

Copilot left unresolved review threads on #2 for body handling, request-size hardening, signature normalization, and missing misconfiguration coverage. This PR addresses those follow-ups directly.

Verification

  • python3 -m unittest discover -s tests -v
  • python3 -m py_compile coven_github_adapter.py tests/test_webhook_adapter.py
  • git diff --check
  • scripts/smoke-webhook.sh http://127.0.0.1:8765/webhook smoke-secret

Copilot AI review requested due to automatic review settings July 6, 2026 10:47
@BunsDev BunsDev merged commit f886ec5 into main Jul 6, 2026
1 check passed
@BunsDev BunsDev deleted the fix/copilot-review-followups branch July 6, 2026 10:49

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the coven_github_adapter WSGI webhook entrypoint by adding stricter request body handling and improving signature header normalization, aligning with the repo’s role as a thin, always-on forwarder that must safely validate and forward GitHub webhook deliveries.

Changes:

  • Add a 10 MB webhook body cap and return 413 Payload Too Large when CONTENT_LENGTH indicates an oversized request.
  • Read request bodies safely when CONTENT_LENGTH is missing or unparsable (bounded read).
  • Normalize X-Hub-Signature-256 by trimming surrounding whitespace and add tests for these branches (including missing-secret misconfiguration).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
coven_github_adapter.py Adds request-size limiting, bounded body reads for missing/invalid CONTENT_LENGTH, and signature header trimming.
tests/test_webhook_adapter.py Extends test harness to vary CONTENT_LENGTH and adds coverage for the new body/signature/misconfiguration branches.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread coven_github_adapter.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants