fix: strip smuggled payload from ssl_check requests

[homanp]

Fixes #2897

When ssl_check=1 is in a form-encoded body, parseAndVerifyHTTPRequest skips signature verification and returns the buffered request as-is. Problem is, the raw body can also contain a payload field that parseHTTPRequestBody will extract and process as a real event — no signing secret needed.

This rewrites rawBody to only contain the ssl_check field before returning, so nothing else can be smuggled through.

Tested that:

• Smuggled ssl_check=1&payload={...} no longer triggers event handlers
• Legitimate ssl_check requests still return 200
• Requests without ssl_check still require valid signatures

[changeset-bot]

⚠️ No Changeset found

Latest commit: a245279

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[salesforce-cla]

Thanks for the contribution! Before we can merge this, we need @homanp to sign the Salesforce Inc. Contributor License Agreement.

[homanp]

Can't sign the contract, getting: Could not sign the CLA, please contact: oss-bots@salesforce.com

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.62%. Comparing base (ad576a1) to head (a245279).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2898   +/-   ##
=======================================
  Coverage   93.62%   93.62%           
=======================================
  Files          44       44           
  Lines        7855     7858    +3     
  Branches      687      687           
=======================================
+ Hits         7354     7357    +3     
  Misses        496      496           
  Partials        5        5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[WilliamBergamin]

@homanp your changes look good 💯 could you try signing the CLA again, sometimes we need to close and reopen the pull request

We can merge these changes as is and I can follow up with some unit tests and edge case around evaluating sll_check truthy, but if you want o add these you're more then well come 🙏

[homanp]

@homanp your changes look good 💯 could you try signing the CLA again, sometimes we need to close and reopen the pull request

We can merge these changes as is and I can follow up with some unit tests and edge case around evaluating sll_check truthy, but if you want o add these you're more then well come 🙏

Still can't. same issue. tried with multiple different emails. get the same error of contacting oss-bot

[homanp]

Tried signing with incognito mode as well and still get the error. Tried with safari as well, but still the same.

[homanp]

I get this though @WilliamBergamin

[WilliamBergamin]

@homanp would you be able to try signing the cla again, we will try to review the logs when you do it 🙏

[homanp]

@homanp would you be able to try signing the cla again, we will try to review the logs when you do it 🙏

doing now.

[homanp]

@homanp would you be able to try signing the cla again, we will try to review the logs when you do it 🙏

still the same

[WilliamBergamin]

I got internal confirmation that you signed the CLA 🚀 it seems like its just not showing up here

[homanp]

I got internal confirmation that you signed the CLA 🚀 it seems like its just not showing up here

Cool