Skip to content

Commit

Permalink
Update github to use sha256 signature (#173)
Browse files Browse the repository at this point in the history
  • Loading branch information
ammario authored Nov 29, 2023
1 parent c3b1a44 commit 53694f8
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 116 deletions.
14 changes: 9 additions & 5 deletions github/github.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,22 @@ package github

import (
"crypto/hmac"
"crypto/sha1"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"strings"
)

// parse errors
var (
ErrEventNotSpecifiedToParse = errors.New("no Event specified to parse")
ErrInvalidHTTPMethod = errors.New("invalid HTTP Method")
ErrMissingGithubEventHeader = errors.New("missing X-GitHub-Event Header")
ErrMissingHubSignatureHeader = errors.New("missing X-Hub-Signature Header")
ErrMissingHubSignatureHeader = errors.New("missing X-Hub-Signature-256 Header")
ErrEventNotFound = errors.New("event not defined to be parsed")
ErrParsingPayload = errors.New("error parsing payload")
ErrHMACVerificationFailed = errors.New("HMAC verification failed")
Expand Down Expand Up @@ -159,15 +160,18 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)

// If we have a Secret set, we should check the MAC
if len(hook.secret) > 0 {
signature := r.Header.Get("X-Hub-Signature")
signature := r.Header.Get("X-Hub-Signature-256")
if len(signature) == 0 {
return nil, ErrMissingHubSignatureHeader
}
mac := hmac.New(sha1.New, []byte(hook.secret))

signature = strings.TrimPrefix(signature, "sha256=")

mac := hmac.New(sha256.New, []byte(hook.secret))
_, _ = mac.Write(payload)
expectedMAC := hex.EncodeToString(mac.Sum(nil))

if !hmac.Equal([]byte(signature[5:]), []byte(expectedMAC)) {
if !hmac.Equal([]byte(signature), []byte(expectedMAC)) {
return nil, ErrHMACVerificationFailed
}
}
Expand Down
Loading

0 comments on commit 53694f8

Please sign in to comment.