fix: Add fallback for GitHub webhook signature check

drone · Jan 17, 2022 · 05ca388 · 05ca388
1 parent ed9176b
commit 05ca388
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/scm/driver/github/webhook.go b/scm/driver/github/webhook.go
@@ -64,6 +64,9 @@ func (s *webhookService) Parse(req *http.Request, fn scm.SecretFunc) (scm.Webhoo
 	}
 
 	sig := req.Header.Get("X-Hub-Signature-256")
+	if sig == "" {
+		sig = req.Header.Get("X-Hub-Signature")
+	}
 	if !hmac.ValidatePrefix(data, []byte(key), sig) {
 		return hook, scm.ErrSignatureInvalid
 	}

diff --git a/scm/driver/github/webhook_test.go b/scm/driver/github/webhook_test.go
@@ -285,6 +285,23 @@ func TestWebhookValid(t *testing.T) {
 	}
 }
 
+func TestWebhookSignatureFallback(t *testing.T) {
+	// the sha can be recalculated with the below command
+	// openssl dgst -sha1 -hmac <secret> <file>
+
+	f, _ := ioutil.ReadFile("testdata/webhooks/push.json")
+	r, _ := http.NewRequest("GET", "/", bytes.NewBuffer(f))
+	r.Header.Set("X-GitHub-Event", "push")
+	r.Header.Set("X-GitHub-Delivery", "ee8d97b4-1479-43f1-9cac-fbbd1b80da55")
+	r.Header.Set("X-Hub-Signature", "sha1=cf93f9ba3c8d3a789e61f91e1e5c6a360d036e98")
+
+	s := new(webhookService)
+	_, err := s.Parse(r, secretFunc)
+	if err != nil {
+		t.Errorf("Expect valid signature, got %v", err)
+	}
+}
+
 func secretFunc(scm.Webhook) (string, error) {
 	return "topsecret", nil
 }