fix: do not uppercase quoted escape sequences (#96)

If the payload contains text that starts with "\u", the replacer kicks in and signature validation fails.
octokit · Oct 7, 2019 · 98ff1e3 · 98ff1e3
1 parent 02a41a6
commit 98ff1e3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/sign/index.js b/sign/index.js
@@ -12,7 +12,7 @@ function sign (secret, payload) {
 }
 
 function toNormalizedJsonString (payload) {
-  return JSON.stringify(payload).replace(/\\u[\da-f]{4}/g, s => {
-    return s.substr(0, 2) + s.substr(2).toUpperCase()
+  return JSON.stringify(payload).replace(/[^\\]\\u[\da-f]{4}/g, s => {
+    return s.substr(0, 3) + s.substr(3).toUpperCase()
   })
 }
diff --git a/test/integration/verify-test.js b/test/integration/verify-test.js
@@ -59,6 +59,10 @@ test('verify(secret, eventPayload, signature) returns true if eventPayload conta
     foo: 'Foo\n\u001B[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001B[0m\u001B[2K'
   }, 'sha1=7316ec5e7866e42e4aba4af550d21a5f036f949d')
   t.is(signatureMatchesUpperCaseSequence, true)
+  const signatureMatchesEscapedSequence = verify('development', {
+    foo: '\\u001b'
+  }, 'sha1=2c440a176f4cb84c8c921dfee882d594c2465097')
+  t.is(signatureMatchesEscapedSequence, true)
 
   t.end()
 })