feat: throw an error when passing an object payload to verify or …

…`sign` (#235)
octokit · Feb 17, 2024 · e2bcb2c · e2bcb2c
1 parent 44d625a
commit e2bcb2c
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 2 deletions.
diff --git a/src/node/sign.ts b/src/node/sign.ts
@@ -20,6 +20,10 @@ export async function sign(
  );
  }
 
+ if (typeof payload !== "string") {
+ throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
+ }
+
  if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
  throw new TypeError(
  `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`,

diff --git a/src/node/verify.ts b/src/node/verify.ts
@@ -16,6 +16,12 @@ export async function verify(
  );
  }
 
+ if (typeof eventPayload !== "string") {
+ throw new TypeError(
+ "[@octokit/webhooks-methods] eventPayload must be a string",
+ );
+ }
+
  const signatureBuffer = Buffer.from(signature);
  const algorithm = getAlgorithm(signature);
 

diff --git a/src/web.ts b/src/web.ts
@@ -60,6 +60,10 @@ export async function sign(options: SignOptions | string, payload: string) {
  );
  }
 
+ if (typeof payload !== "string") {
+ throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
+ }
+
  if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
  throw new TypeError(
  `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`,
@@ -86,6 +90,12 @@ export async function verify(
  );
  }
 
+ if (typeof eventPayload !== "string") {
+ throw new TypeError(
+ "[@octokit/webhooks-methods] eventPayload must be a string",
+ );
+ }
+
  const algorithm = getAlgorithm(signature);
  return await crypto.subtle.verify(
  "HMAC",

diff --git a/test/sign.test.ts b/test/sign.test.ts
@@ -38,7 +38,7 @@ describe("sign", () => {
  test("sign({secret, algorithm}) throws with invalid algorithm", async () => {
  await expect(() =>
  // @ts-expect-error
- sign({ secret, algorithm: "sha2" }, eventPayload),
+ sign({ secret, algorithm: "sha2" }, JSON.stringify(eventPayload)),
  ).rejects.toThrow(
  "[@octokit/webhooks] Algorithm sha2 is not supported. Must be 'sha1' or 'sha256'",
  );
@@ -81,4 +81,11 @@ describe("sign", () => {
  });
  });
  });
+
+ test("throws with eventPayload as object", () => {
+ // @ts-expect-error
+ expect(() => sign(secret, eventPayload)).rejects.toThrow(
+ "[@octokit/webhooks-methods] payload must be a string",
+ );
+ });
 });
diff --git a/test/verify.test.ts b/test/verify.test.ts
@@ -8,7 +8,8 @@ function toNormalizedJsonString(payload: object) {
  });
 }
 
-const eventPayload = toNormalizedJsonString({ foo: "bar" });
+const JSONeventPayload = { foo: "bar" };
+const eventPayload = toNormalizedJsonString(JSONeventPayload);
 const secret = "mysecret";
 const signatureSHA1 = "sha1=640c0ea7402a3f74e1767338fa2dba243b1f2d9c";
 const signatureSHA256 =
@@ -140,6 +141,15 @@ describe("verify", () => {
  );
  expect(signatureMatchesEscapedSequence).toBe(true);
  });
+
+ test("verify(secret, eventPayload, signatureSHA256) with JSON eventPayload", async () => {
+ await expect(() =>
+ // @ts-expect-error
+ verify(secret, JSONeventPayload, signatureSHA256),
+ ).rejects.toThrow(
+ "[@octokit/webhooks-methods] eventPayload must be a string",
+ );
+ });
 });
 
 describe("verifyWithFallback", () => {