Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Github push event signature don't match

Tags:

javascript

github

github-api

webhooks

I'm coding a Webhook for GitHub, and implemented secure verification in KOA.js as:

function sign(tok, blob) {
  var hmac;

  hmac = crypto
    .createHmac('sha1', tok)
    .update(blob)
    .digest('hex');

  return 'sha1=' + hmac;
}

...

key = this.request.headers['x-hub-signature'];
blob = JSON.stringify(this.request.body);

if (!key || !blob) {
  this.status = 400;
  this.body = 'Bad Request';
}

lock = sign(settings.api_secret, blob);

if (lock !== key) {
  console.log(symbols.warning, 'Unauthorized');
  this.status = 403;
  this.body = 'Unauthorized';
  return;
}

...

for pull_requests and create events this works ok, even pushing new branches works, but for push commits events the x-hub-signature and the computed hash from the payload don't match, so it always get 403 unauthorized.

Update

I've noticed that for this kind of push payloads the commits and head_commit are added to the payload. I've tried removing the commits and the head_commit from the body but it didn't work.

Update

For more information please review these example payloads. I've also included url for the test repo and token info: https://gist.github.com/marcoslhc/ec581f1a5ccdd80f8b33

like image 385
marcoslhc Avatar asked May 15 '15 21:05

marcoslhc

1 Answers

The default encoding of Crypto hash.update() is binary as detailed in the answer to Node JS crypto, cannot create hmac on chars with accents. This causes a problem in your push-event payload, which contains the character U+00E1 LATIN SMALL LETTER A WITH ACUTE in Hernández four times, and GitHub services is hashing the payload as utf-8 encoded. Note that your Gist shows these incorrectly-encoded in ISO-8859-1, so also make sure that you are handling the incoming request character-encoding properly (but this should happen by-default).

To fix this you need to either use a Buffer:

hmac = crypto.createHmac('sha1', tok).update(new Buffer(blob, 'utf-8')).digest('hex');

... or pass the encoding directly to update:

hmac = crypto.createHmac('sha1', tok).update(blob, 'utf-8').digest('hex');

The correct hash of 7f9e6014b7bddf5533494eff6a2c71c4ec7c042d will then be calculated.

like image 64
javabrett Avatar answered Oct 16 '22 20:10

javabrett
Sign in to Comment

Related questions

Count unique elements in array without sorting
parseInt not converting decimal to binary?
get next week start and end using jquery and moment js
Calling Helper Within If Block in Handlebars Template
How do I format a number to 2 decimal places, but only if there are already decimals?
How do I make an area unclickable with CSS?
event: "Deprecated symbol used, consult docs for better alternative"
How to handle local state when using relay?
On Handsontable, if there is similar columns header, then the first columns cell value is auto copied to other similar cell
Minimalistic example of IPython kernel javascript bi-directional communication
Knockout.js seems to be clobbering my jQuery event handlers, how rude
Accessing Google Drive from a Firefox extension
Chrome popstate not firing on Back Button if no user interaction
How can I get Aptana's code assist to work with Google Maps API v3?
Read id3 v2.4 tags with native Chrome Javascript/FileReader/DataView
D3.js: Using images (with filenames specified in data) as tick values on axis
Upload from Client Browser to Google Cloud Storage Using JavaScript
jQuery compatible JavaScript documentation generator
How do you read a file or Stream synchronously in node.js?
Adding favicon to javascript Bookmarklet (uses window.open)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!