WIP - Attmpt to verify signatures

zee-roostify · zee-roostify · commit eaca2150b17d · 2017-03-23T20:54:52.000Z
diff --git a/README.md b/README.md
@@ -32,8 +32,15 @@ robot.emit "github-repo-event", eventBody
 
 For details on these fields, see the [Github Webhook documentation](https://developer.github.com/webhooks/).
 
-**SECURITY WARNING**: This script does not currently validate the Github Secret to verify that the webhook came from Github. So, if someone knows the URL to your Hubot, they can spoof webhooks and issue your Hubot commands. So, for now be careful about exposing commands like `destroy company`, etc. I plan to validate these webhooks soon. In the meantime, patches are welcome. :)
+### Securing Your Webhooks
+To ensure non-github sources cannot send messages to your hubot, set
+`robot.brain.set('github_secret_token, 'YOUR-WEBHOOK-SECRET')` to your [Github
+hooks secret](https://developer.github.com/v3/repos/hooks/#create-a-hook).
 
+This will raise exceptions when the webhook requests signatures do not match one
+builtfrom the request payload and your webhook secret.
+
+### Consuming the event
 You can consume it like so from one of your scripts:
 ```coffeescript
 @robot.on "github-repo-event", (repo_event) =>
diff --git a/package.json b/package.json
@@ -31,6 +31,7 @@
   },
   "dependencies": {
     "querystring": "^0.2.0",
-    "url": "^0.10.3"
+    "url": "^0.10.3",
+    "verify-github-webhook": "^1.0.1"
   }
 }
diff --git a/src/hubot-github-webhook-listener.coffee b/src/hubot-github-webhook-listener.coffee
@@ -38,11 +38,17 @@
 
 url           = require('url')
 querystring   = require('querystring')
+verifyGithubWebhook = require('verify-github-webhook')
 
 debug = false
 
 module.exports = (robot) ->
 
+  # In the event no secret is set, we wish to carry on without verifying
+  verifySignature = (signature, payload, secret) ->
+    return true unless secret?
+    verifyGithubWebhook(signature, payload, secret)
+
   #TODO: Introduce secret so that these are verified:
   # See: https://developer.github.com/webhooks/securing/ and
   # https://gist.github.com/dcollien/c5d86c968cbc85e88286
@@ -57,6 +63,9 @@ module.exports = (robot) ->
         payload     : req.body
         query       : querystring.parse(url.parse(req.url).query)
 
+      if verifySignature(eventBody.signature, eventBody.payload, robot.brain.get('github_secret_token'))
+        throw new Error('Webhook Signatures Do Not Match Generated Signature')
+
       robot.emit "github-repo-event", eventBody
     catch error
       robot.logger.error "Github repo webhook listener error: #{error.stack}. Request: #{req.body}"

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@`
`31`	`31`	`},`
`32`	`32`	`"dependencies": {`
`33`	`33`	`"querystring": "^0.2.0",`
`34`		`- "url": "^0.10.3"`
	`34`	`+ "url": "^0.10.3",`
	`35`	`+ "verify-github-webhook": "^1.0.1"`
`35`	`36`	`}`
`36`	`37`	`}`