From f4db242ae5378f7a98e3fee6ef02c5f0d050ed45 Mon Sep 17 00:00:00 2001
From: AdamKorcz <adam@adalogics.com>
Date: Sat, 18 Nov 2023 15:03:26 +0000
Subject: [PATCH] Add length check to github signature

Signed-off-by: AdamKorcz <adam@adalogics.com>
---
 github/github.go      | 5 ++++-
 github/github_test.go | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/github/github.go b/github/github.go
index e2ee652..1f602a4 100644
--- a/github/github.go
+++ b/github/github.go
@@ -21,6 +21,7 @@ var (
 	ErrEventNotFound             = errors.New("event not defined to be parsed")
 	ErrParsingPayload            = errors.New("error parsing payload")
 	ErrHMACVerificationFailed    = errors.New("HMAC verification failed")
+	ErrWrongHubSignatureHeader   = errors.New("Invalid Github signature")
 )
 
 // Event defines a GitHub hook event type
@@ -166,7 +167,9 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 		}
 
 		signature = strings.TrimPrefix(signature, "sha256=")
-
+		if len(signature) < 6 {
+			return nil, ErrWrongHubSignatureHeader
+		}
 		mac := hmac.New(sha256.New, []byte(hook.secret))
 		_, _ = mac.Write(payload)
 		expectedMAC := hex.EncodeToString(mac.Sum(nil))
diff --git a/github/github_test.go b/github/github_test.go
index 109d694..bd7b070 100644
--- a/github/github_test.go
+++ b/github/github_test.go
@@ -58,6 +58,15 @@ func TestBadRequests(t *testing.T) {
 		payload io.Reader
 		headers http.Header
 	}{
+		{
+			name:    "ShortSignature",
+			event:   CommitCommentEvent,
+			payload: bytes.NewBuffer([]byte("{12345}")),
+			headers: http.Header{
+				"X-Github-Event":  []string{"commit_comment"},
+				"X-Hub-Signature": []string{"sha1"},
+			},
+		},
 		{
 			name:    "BadNoEventHeader",
 			event:   CreateEvent,