mirrors/webhook
1
0
Fork 0
mirror of https://github.com/adnanh/webhook.git synced 2025-05-14 17:44:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Never disclose expected payload signature (#86)

Browse source 
Fixes #85
This commit is contained in:
Cameron Moore 2016-08-25 16:41:05 -05:00 committed by Adnan Hajdarević
parent 54a9dbe1d6
commit 10d65dd2fd
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hook/hook.go
View file

@ -93,7 +93,7 @@ func CheckPayloadSignature(payload []byte, secret string, signature string) (str
expectedMAC := hex.EncodeToString(mac.Sum(nil))
if !hmac.Equal([]byte(signature), []byte(expectedMAC)) {
return expectedMAC, &SignatureError{expectedMAC}
return expectedMAC, &SignatureError{signature}
}
return expectedMAC, err
}

5
hook/hook_test.go
View file

@ -2,6 +2,7 @@ package hook
import (
"reflect"
"strings"
"testing"
)
@ -25,6 +26,10 @@ func TestCheckPayloadSignature(t *testing.T) {
if (err == nil) != tt.ok || mac != tt.mac {
t.Errorf("failed to check payload signature {%q, %q, %q}:\nexpected {mac:%#v, ok:%#v},\ngot {mac:%#v, ok:%#v}", tt.payload, tt.secret, tt.signature, tt.mac, tt.ok, mac, (err == nil))
}
if err != nil && strings.Contains(err.Error(), tt.mac) {
t.Errorf("error message should not disclose expected mac: %s", err)
}
}
}