Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When there is an apostrophe in the body the validation of the webhook fails #528

Open
theghall opened this issue Aug 25, 2020 · 4 comments
Open

When there is an apostrophe in the body the validation of the webhook fails #528

theghall opened this issue Aug 25, 2020 · 4 comments
Labels
status: help wanted requesting help from the community type: bug bug in the library

Comments

@theghall
Copy link

Issue Summary

An apostrophe in the body of a text message causes validation of Twilio webhook to fail

Steps to Reproduce

  1. Send a text message with an apostrophe in it
  2. try to validate the incoming webhook

Code Snippet

    twilio_signature = env["HTTP_X_TWILIO_SIGNATURE"]
        url = "#{rack_request.scheme}://" + env["HTTP_HOST"] + env["REQUEST_URI"]
        unless validator.validate(url, {}, twilio_signature)
          raise "Twilio request validation failed."
        end

Technical details:

  • twilio-ruby version: 5.40.0 (also fails with 5.37.0)
  • ruby version: 2.7.1
@theghall
Copy link
Author

Debugging a little it appears as if the gem encodes the ' as %27 via URI, whereas the signature generated by Twilio did not encode the ' as %27. Because if I do the calculation to generate the signature keeping the ' as ', I get the signatures to match.

@eshanholtz
Copy link
Contributor

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.

@eshanholtz eshanholtz added status: help wanted requesting help from the community type: bug bug in the library labels Aug 27, 2020
@theghall
Copy link
Author

theghall commented Sep 2, 2020

Twilio support gave me the workaround of making the Webhook a POST instead of a GET. My code is now as follows:

      # Need this because env['rack.url_scheme'] is only for the last leg of the journey,
      # Rack::Request#scheme gets us the scheme of the real request
      rack_request = Rack::Request.new(env)

     validator = Twilio::Security::RequestValidator.new(ENV["MEMBERS_TWILIO_SECRET"])
     twilio_signature = env["HTTP_X_TWILIO_SIGNATURE"]
     url = "#{rack_request.scheme}://" + env["HTTP_HOST"] + env["REQUEST_URI"]
     # params arg: Use rack_request.params for POST request.  Use {} for GET request
     unless validator.validate(url, rack_request.params, twilio_signature)
        raise "Twilio request validation failed."
    end

@ramonrovirosa
Copy link

Same issue described above was happening to me. It was happening because the url contained a query parameter that had an apostraphe in the value
e.g. the url had an apostraphe that was encoded with %27
https://www.example.com?name=O%27Malley

The fix for me was to double encode the query parameters before sending the request to twilio.
e.g. https://www.example.com?name=O%2527Malley
And then make sure to do an extra decoding on the callback query params on my backend

If the signature generated by Twilio decodes special charecters including those in the url as query parameter values, the library should do decoding along with parsing on validate
https://github.com/twilio/twilio-ruby/blob/main/lib/twilio-ruby/security/request_validator.rb#L27

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: help wanted requesting help from the community type: bug bug in the library
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ramonrovirosa @theghall @eshanholtz