Update github to use sha256 signature (go-playground#173)

See https://docs.github.com/en/webhooks-and-events/webhooks/securing-your-webhooks
faceit · Nov 29, 2023 · 53694f8 · 53694f8
1 parent c3b1a44
commit 53694f8
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 116 deletions.
diff --git a/github/github.go b/github/github.go
@@ -2,21 +2,22 @@ package github
 
 import (
 	"crypto/hmac"
-	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 )
 
 // parse errors
 var (
 	ErrEventNotSpecifiedToParse  = errors.New("no Event specified to parse")
 	ErrInvalidHTTPMethod         = errors.New("invalid HTTP Method")
 	ErrMissingGithubEventHeader  = errors.New("missing X-GitHub-Event Header")
-	ErrMissingHubSignatureHeader = errors.New("missing X-Hub-Signature Header")
+	ErrMissingHubSignatureHeader = errors.New("missing X-Hub-Signature-256 Header")
 	ErrEventNotFound             = errors.New("event not defined to be parsed")
 	ErrParsingPayload            = errors.New("error parsing payload")
 	ErrHMACVerificationFailed    = errors.New("HMAC verification failed")
@@ -159,15 +160,18 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 
 	// If we have a Secret set, we should check the MAC
 	if len(hook.secret) > 0 {
-		signature := r.Header.Get("X-Hub-Signature")
+		signature := r.Header.Get("X-Hub-Signature-256")
 		if len(signature) == 0 {
 			return nil, ErrMissingHubSignatureHeader
 		}
-		mac := hmac.New(sha1.New, []byte(hook.secret))
+
+		signature = strings.TrimPrefix(signature, "sha256=")
+
+		mac := hmac.New(sha256.New, []byte(hook.secret))
 		_, _ = mac.Write(payload)
 		expectedMAC := hex.EncodeToString(mac.Sum(nil))
 
-		if !hmac.Equal([]byte(signature[5:]), []byte(expectedMAC)) {
+		if !hmac.Equal([]byte(signature), []byte(expectedMAC)) {
 			return nil, ErrHMACVerificationFailed
 		}
 	}