Add length check to github signature

Signed-off-by: AdamKorcz <adam@adalogics.com>
go-playground · Nov 18, 2023 · 316ebee · 316ebee
1 parent c3b1a44
commit 316ebee
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/github/github.go b/github/github.go
@@ -20,6 +20,7 @@ var (
 	ErrEventNotFound             = errors.New("event not defined to be parsed")
 	ErrParsingPayload            = errors.New("error parsing payload")
 	ErrHMACVerificationFailed    = errors.New("HMAC verification failed")
+	ErrWrongHubSignatureHeader   = errors.New("Invalid Github signature")
 )
 
 // Event defines a GitHub hook event type
@@ -163,6 +164,9 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 		if len(signature) == 0 {
 			return nil, ErrMissingHubSignatureHeader
 		}
+		if len(signature) < 6 {
+			return nil, ErrWrongHubSignatureHeader
+		}
 		mac := hmac.New(sha1.New, []byte(hook.secret))
 		_, _ = mac.Write(payload)
 		expectedMAC := hex.EncodeToString(mac.Sum(nil))

diff --git a/github/github_test.go b/github/github_test.go
@@ -58,6 +58,15 @@ func TestBadRequests(t *testing.T) {
 		payload io.Reader
 		headers http.Header
 	}{
+		{
+			name:    "ShortSignature",
+			event:   CommitCommentEvent,
+			payload: bytes.NewBuffer([]byte("{12345}")),
+			headers: http.Header{
+				"X-Github-Event":  []string{"commit_comment"},
+				"X-Hub-Signature": []string{"sha1"},
+			},
+		},
 		{
 			name:    "BadNoEventHeader",
 			event:   CreateEvent,