Skip to content

Commit 9299dde

Browse files
rjzrjz
committed
Merge pull request #5 from rjz/fix/http-request-method
Validate POST method (#4)
2 parents f5b624d + d4e4d5a commit 9299dde

File tree

2 files changed

+14
-5
lines changed

2 files changed

+14
-5
lines changed

githubhook.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,10 @@ func verifySignature(secret []byte, signature string, body []byte) bool {
4141
func Parse(secret []byte, req *http.Request) (*Hook, error) {
4242
hook := Hook{}
4343

44+
if !strings.EqualFold(req.Method, "POST") {
45+
return nil, errors.New("Unknown method!")
46+
}
47+
4448
if hook.Signature = req.Header.Get("x-hub-signature"); len(hook.Signature) == 0 {
4549
return nil, errors.New("No signature!")
4650
}

githubhook_test.go

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -31,26 +31,31 @@ func signature(body string) string {
3131
return "sha1=" + string(dst)
3232
}
3333

34-
func TestMissingSignature(t *testing.T) {
34+
func TestNonPost(t *testing.T) {
3535
r, _ := http.NewRequest("GET", "/path", nil)
36+
expectParseError(t, "Unknown method!", r)
37+
}
38+
39+
func TestMissingSignature(t *testing.T) {
40+
r, _ := http.NewRequest("POST", "/path", nil)
3641
expectParseError(t, "No signature!", r)
3742
}
3843

3944
func TestMissingEvent(t *testing.T) {
40-
r, _ := http.NewRequest("GET", "/path", nil)
45+
r, _ := http.NewRequest("POST", "/path", nil)
4146
r.Header.Add("x-hub-signature", "bogus signature")
4247
expectParseError(t, "No event!", r)
4348
}
4449

4550
func TestMissingEventId(t *testing.T) {
46-
r, _ := http.NewRequest("GET", "/path", nil)
51+
r, _ := http.NewRequest("POST", "/path", nil)
4752
r.Header.Add("x-hub-signature", "bogus signature")
4853
r.Header.Add("x-github-event", "bogus event")
4954
expectParseError(t, "No event Id!", r)
5055
}
5156

5257
func TestInvalidSignature(t *testing.T) {
53-
r, _ := http.NewRequest("GET", "/path", strings.NewReader("..."))
58+
r, _ := http.NewRequest("POST", "/path", strings.NewReader("..."))
5459
r.Header.Add("x-hub-signature", "bogus signature")
5560
r.Header.Add("x-github-event", "bogus event")
5661
r.Header.Add("x-github-delivery", "bogus id")
@@ -61,7 +66,7 @@ func TestValidSignature(t *testing.T) {
6166

6267
body := "{}"
6368

64-
r, _ := http.NewRequest("GET", "/path", strings.NewReader(body))
69+
r, _ := http.NewRequest("POST", "/path", strings.NewReader(body))
6570
r.Header.Add("x-hub-signature", signature(body))
6671
r.Header.Add("x-github-event", "bogus event")
6772
r.Header.Add("x-github-delivery", "bogus id")

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy