serverless-gcf icon indicating copy to clipboard operation
serverless-gcf copied to clipboard
verified publisher icon probot

Does this actually validate webhook signatures

Open acoulton opened this issue 7 years ago • 4 comments

This may be me, but it seems like it doesn't validate webhook signatures.

If I configure it with an incorrect webhook secret the requests are still handled as a 200 response. I assume it needs to be passing the X-Hub-Signature, and probably the raw request body, along to probot somewhere?

acoulton avatar Dec 14 '18 23:12 acoulton

I agree. I added some code to do the validation in my serverless extension:

const validateSignature = (req) => {
  const given = req.headers['x-hub-signature'] || req.headers['X-Hub-Signature']

  if (! process.env['WEBHOOK_SECRET']) {
    console.error("No shared secret; set the WEBHOOK_SECRET environment variable")
    return false
  }

  var hmac = crypto.createHmac("sha1", process.env['WEBHOOK_SECRET'])
  hmac.update(req.rawBody, 'binary')
  var expected = 'sha1=' + hmac.digest('hex')

  return given.length === expected.length && crypto.timingSafeEqual(Buffer.from(given), Buffer.from(expected))
}

ethomson avatar Jan 04 '19 22:01 ethomson

@acoulton @ethomson were you able to deploy to gcf ?

rthadur avatar Feb 24 '19 00:02 rthadur

@rthadur yes - but ISTR it took a bit of faffing about.

However we subsequently realised that since our app was bridging github to other services the probot approach wasn't that useful for us. When we got a github hook we almost always always need a client to the other services, we only needed a github client when the other services fired their own hooks. And although that was doable by wrapping probot, we weren't really using any of probot's automation and it was just adding an extra layer of complexity over using octokit etc directly. Particularly since we'd have had to add our own webhook validation, etc. So we're no longer using it and I don't think I still have the code I hacked up to experiment with getting the GCF deployment to work.

acoulton avatar Feb 25 '19 10:02 acoulton

@rthadur No, and I was never intending to. I was commenting here since I had the same issue in my serverless extension for Azure Functions: https://github.com/ethomson/probot-serverless-azurefunctions

I did deploy my probot to Azure Functions with success (and significant cost savings over my prior environment).

GitHub
Azure Functions adapter for Probot tools. Contribute to ethomson/probot-serverless-azurefunctions development by creating an account on GitHub.

ethomson avatar Feb 25 '19 10:02 ethomson