Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

Update verify_webhook_signature to match more recent security guidelines #9

Merged
merged 1 commit into from
Nov 9, 2021
Merged

Update verify_webhook_signature to match more recent security guidelines #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 9 additions & 10 deletions template_server.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,29 +118,28 @@ def authenticate_installation(payload)
@installation_client = Octokit::Client.new(bearer_token: @installation_token)
end

# Check X-Hub-Signature to confirm that this webhook was generated by
# Check X-Hub-Signature-256 to confirm that this webhook was generated by
# GitHub, and not a malicious third party.
#
# GitHub uses the WEBHOOK_SECRET, registered to the GitHub App, to
# create the hash signature sent in the `X-HUB-Signature` header of each
# create the hash signature sent in the `X-HUB-Signature-256` header of each
# webhook. This code computes the expected hash signature and compares it to
# the signature sent in the `X-HUB-Signature` header. If they don't match,
# the signature sent in the `X-HUB-Signature-256` header. If they don't match,
# this request is an attack, and you should reject it. GitHub uses the HMAC
# hexdigest to compute the signature. The `X-HUB-Signature` looks something
# like this: "sha1=123456".
# See https://developer.github.com/webhooks/securing/ for details.
# hexdigest to compute the signature. The `X-HUB-Signature-256` looks something
# like this: "sha256=123456".
# See https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks for details.
def verify_webhook_signature
their_signature_header = request.env['HTTP_X_HUB_SIGNATURE'] || 'sha1='
their_signature_header = request.env['HTTP_X_HUB_SIGNATURE_256'] || 'sha256='
method, their_digest = their_signature_header.split('=')
our_digest = OpenSSL::HMAC.hexdigest(method, WEBHOOK_SECRET, @payload_raw)
halt 401 unless their_digest == our_digest
our_digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), WEBHOOK_SECRET, @payload_raw)
halt 401 unless Rack::Utils.secure_compare(their_digest, our_digest)

# The X-GITHUB-EVENT header provides the name of the event.
# The action value indicates the which action triggered the event.
logger.debug "---- received event #{request.env['HTTP_X_GITHUB_EVENT']}"
logger.debug "---- action #{@payload['action']}" unless @payload['action'].nil?
end

end

# Finally some logic to let us run this server directly from the command line,
Expand Down