Swaps in SHA256 signature (fixes #13)

rjz · rjz · commit cc67f3561e62 · 2023-03-03T10:11:12.000-07:00
diff --git a/githubhook.go b/githubhook.go
@@ -3,7 +3,7 @@ package githubhook
 
 import (
 	"crypto/hmac"
-	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
@@ -37,11 +37,12 @@ type Hook struct {
 	Payload []byte
 }
 
-const signaturePrefix = "sha1="
-const signatureLength = 45 // len(SignaturePrefix) + len(hex(sha1))
+const signaturePrefix = "sha256="
+const prefixLength = len(signaturePrefix)
+const signatureLength = prefixLength + (sha256.Size * 2)
 
 func signBody(secret, body []byte) []byte {
-	computed := hmac.New(sha1.New, secret)
+	computed := hmac.New(sha256.New, secret)
 	computed.Write(body)
 	return []byte(computed.Sum(nil))
 }
@@ -55,13 +56,15 @@ func (h *Hook) SignedBy(secret []byte) bool {
 		return false
 	}
 
-	actual := make([]byte, 20)
-	hex.Decode(actual, []byte(h.Signature[5:]))
+	actual := make([]byte, sha256.Size)
+	hex.Decode(actual, []byte(h.Signature[prefixLength:]))
 
-	return hmac.Equal(signBody(secret, h.Payload), actual)
+	expected := signBody(secret, h.Payload)
+
+	return hmac.Equal(expected, actual)
 }
 
-// Extract unmarshals Payload into a destination interface.
+// Extract hook's JSON payload into dst
 func (h *Hook) Extract(dst interface{}) error {
 	return json.Unmarshal(h.Payload, dst)
 }
@@ -73,7 +76,7 @@ func New(req *http.Request) (hook *Hook, err error) {
 		return nil, errors.New("Unknown method!")
 	}
 
-	if hook.Signature = req.Header.Get("x-hub-signature"); len(hook.Signature) == 0 {
+	if hook.Signature = req.Header.Get("x-hub-signature-256"); len(hook.Signature) == 0 {
 		return nil, errors.New("No signature!")
 	}
 
diff --git a/githubhook_test.go b/githubhook_test.go
@@ -2,7 +2,7 @@ package githubhook
 
 import (
 	"crypto/hmac"
-	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"net/http"
@@ -29,11 +29,11 @@ func expectParseError(t *testing.T, msg string, r *http.Request) {
 }
 
 func signature(body string) string {
-	dst := make([]byte, 40)
-	computed := hmac.New(sha1.New, []byte(testSecret))
+	dst := make([]byte, sha256.Size*2)
+	computed := hmac.New(sha256.New, []byte(testSecret))
 	computed.Write([]byte(body))
 	hex.Encode(dst, computed.Sum(nil))
-	return "sha1=" + string(dst)
+	return signaturePrefix + string(dst)
 }
 
 func TestNonPost(t *testing.T) {
@@ -48,20 +48,20 @@ func TestMissingSignature(t *testing.T) {
 
 func TestMissingEvent(t *testing.T) {
 	r, _ := http.NewRequest("POST", "/path", nil)
-	r.Header.Add("x-hub-signature", "bogus signature")
+	r.Header.Add("x-hub-signature-256", "bogus signature")
 	expectNewError(t, "No event!", r)
 }
 
 func TestMissingEventId(t *testing.T) {
 	r, _ := http.NewRequest("POST", "/path", nil)
-	r.Header.Add("x-hub-signature", "bogus signature")
+	r.Header.Add("x-hub-signature-256", "bogus signature")
 	r.Header.Add("x-github-event", "bogus event")
 	expectNewError(t, "No event Id!", r)
 }
 
 func TestInvalidSignature(t *testing.T) {
 	r, _ := http.NewRequest("POST", "/path", strings.NewReader("..."))
-	r.Header.Add("x-hub-signature", "bogus signature")
+	r.Header.Add("x-hub-signature-256", "bogus signature")
 	r.Header.Add("x-github-event", "bogus event")
 	r.Header.Add("x-github-delivery", "bogus id")
 	expectParseError(t, "Invalid signature", r)
@@ -72,7 +72,7 @@ func TestValidSignature(t *testing.T) {
 	body := "{}"
 
 	r, _ := http.NewRequest("POST", "/path", strings.NewReader(body))
-	r.Header.Add("x-hub-signature", signature(body))
+	r.Header.Add("x-hub-signature-256", signature(body))
 	r.Header.Add("x-github-event", "bogus event")
 	r.Header.Add("x-github-delivery", "bogus id")
 
