webhooks.js icon indicating copy to clipboard operation
webhooks.js copied to clipboard

Published 20 hours ago verified publisher icon octokit

throw a helpful error if received request has content type set to `application/x-www-form-url-encoded`

Open cowboyd opened this issue 5 years ago • 3 comments

I ran into this issue and though it was never resolved, it appears tha the underlying problem is that @octokit/wehooks is assuming that the incoming request body is application/json. However, github can also deliver payloads in application/x-www-form-url-encoded which is, in fact, the default delivery format when creating a webhook via the github UI

image

In the event that the payload is encoded as application/x-www-form-urlencoded, the middleware will try to parse it as JSON.

I could see two possible solutions:

  1. asserting that the content-type header is aapplication/json, and rejecting with a 400 and a status text that clearly indicates that x-form-url-encoded is not acceptable, and that the webhook configuration should be updated.
  2. checking the content-type and decoding the payload appropriately for both application/json and application/x-form-www-url-encoded.

Would be happy to help implement either.

cowboyd avatar Jun 26 '20 16:06 cowboyd

Hi Charles, thank you for opening the issue!

I think parsing webhooks with content type application/x-www-form-url-encoded are out of scope of this library. But we could at least go a helpful error.

Is there a reason why you set it to application/x-www-form-url-encoded?

gr2m avatar Jun 26 '20 17:06 gr2m

Is there a reason why you set it to application/x-www-form-url-encoded?

@gr2m Thanks for the quick response. The only reason that I selected application/x-www-form-urlencoded was that it was what the create webhook form defaulted to, and I didn't even notice it. I was actually assuming that it would be application/json too, and was suprised when I started logging out the payload!

cowboyd avatar Jun 26 '20 17:06 cowboyd

This is up for grabs, if anyone would like to work on it.

gr2m avatar Apr 22 '21 19:04 gr2m

I have opened up a PR to solve this: #795

In the PR, I check to make sure that the Content-Type header is application/json, and then return an error in the HTTP response with a 415 status code

wolfy1339 avatar Jan 08 '23 20:01 wolfy1339

:tada: This issue has been resolved in version 10.5.1 :tada:

The release is available on:

Your semantic-release bot :package::rocket:

github-actions[bot] avatar Jan 10 '23 17:01 github-actions[bot]

:tada: This issue has been resolved in version 11.0.0-beta.5 :tada:

The release is available on:

Your semantic-release bot :package::rocket:

github-actions[bot] avatar Jan 10 '23 17:01 github-actions[bot]