fix(gogs): fix formatting JSON payload before calculating signature (closes #336)

jkuri · jkuri · commit 0552fb538a38 · 2018-04-29T17:07:56.000+02:00
diff --git a/src/api/webhooks.ts b/src/api/webhooks.ts
@@ -401,6 +401,7 @@ webhooks.post('/gogs', (req: express.Request, res: express.Response) => {
           break;
         case 'release':
           res.status(200).json({ msg: 'ok' });
+          break;
         case 'pull_request':
           switch (payload.action) {
             case 'opened':
@@ -473,6 +474,6 @@ function verifyGithubWebhook(signature: string, payload: any, secret: string): b
 }
 
 function verifyGogsWebhook(signature: string, payload: any, secret: string): boolean {
-  let sig = `${crypto.createHmac('sha256', secret).update(JSON.stringify(payload)).digest('hex')}`;
+  let sig = `${crypto.createHmac('sha256', secret).update(JSON.stringify(payload, null, 2)).digest('hex')}`;
   return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(sig));
 }

Original file line number	Diff line number	Diff line change
`@@ -401,6 +401,7 @@ webhooks.post('/gogs', (req: express.Request, res: express.Response) => {`
`401`	`401`	`break;`
`402`	`402`	`case 'release':`
`403`	`403`	`res.status(200).json({ msg: 'ok' });`
	`404`	`+ break;`
`404`	`405`	`case 'pull_request':`
`405`	`406`	`switch (payload.action) {`
`406`	`407`	`case 'opened':`
`@@ -473,6 +474,6 @@ function verifyGithubWebhook(signature: string, payload: any, secret: string): b`
`473`	`474`	`}`
`474`	`475`
`475`	`476`	`function verifyGogsWebhook(signature: string, payload: any, secret: string): boolean {`
`476`		- let sig = `${crypto.createHmac('sha256', secret).update(JSON.stringify(payload)).digest('hex')}`;
	`477`	+ let sig = `${crypto.createHmac('sha256', secret).update(JSON.stringify(payload, null, 2)).digest('hex')}`;
`477`	`478`	`return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(sig));`
`478`	`479`	`}`