feat: throw an error when passing an object payload to verify or sign (#235)

Author: wolfy1339

src/node/sign.ts

@@ -20,6 +20,10 @@ export async function sign(
     );
   }
 
+  if (typeof payload !== "string") {
+    throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
+  }
+
   if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
     throw new TypeError(
       `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be  'sha1' or 'sha256'`,

src/node/verify.ts

@@ -16,6 +16,12 @@ export async function verify(
     );
   }
 
+  if (typeof eventPayload !== "string") {
+    throw new TypeError(
+      "[@octokit/webhooks-methods] eventPayload must be a string",
+    );
+  }
+
   const signatureBuffer = Buffer.from(signature);
   const algorithm = getAlgorithm(signature);
 

src/web.ts

@@ -60,6 +60,10 @@ export async function sign(options: SignOptions | string, payload: string) {
     );
   }
 
+  if (typeof payload !== "string") {
+    throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
+  }
+
   if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
     throw new TypeError(
       `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be  'sha1' or 'sha256'`,
@@ -86,6 +90,12 @@ export async function verify(
     );
   }
 
+  if (typeof eventPayload !== "string") {
+    throw new TypeError(
+      "[@octokit/webhooks-methods] eventPayload must be a string",
+    );
+  }
+
   const algorithm = getAlgorithm(signature);
   return await crypto.subtle.verify(
     "HMAC",

test/sign.test.ts

@@ -38,7 +38,7 @@ describe("sign", () => {
   test("sign({secret, algorithm}) throws with invalid algorithm", async () => {
     await expect(() =>
       // @ts-expect-error
-      sign({ secret, algorithm: "sha2" }, eventPayload),
+      sign({ secret, algorithm: "sha2" }, JSON.stringify(eventPayload)),
     ).rejects.toThrow(
       "[@octokit/webhooks] Algorithm sha2 is not supported. Must be  'sha1' or 'sha256'",
     );
@@ -81,4 +81,11 @@ describe("sign", () => {
       });
     });
   });
+
+  test("throws with eventPayload as object", () => {
+    // @ts-expect-error
+    expect(() => sign(secret, eventPayload)).rejects.toThrow(
+      "[@octokit/webhooks-methods] payload must be a string",
+    );
+  });
 });

test/verify.test.ts

@@ -8,7 +8,8 @@ function toNormalizedJsonString(payload: object) {
   });
 }
 
-const eventPayload = toNormalizedJsonString({ foo: "bar" });
+const JSONeventPayload = { foo: "bar" };
+const eventPayload = toNormalizedJsonString(JSONeventPayload);
 const secret = "mysecret";
 const signatureSHA1 = "sha1=640c0ea7402a3f74e1767338fa2dba243b1f2d9c";
 const signatureSHA256 =
@@ -140,6 +141,15 @@ describe("verify", () => {
     );
     expect(signatureMatchesEscapedSequence).toBe(true);
   });
+
+  test("verify(secret, eventPayload, signatureSHA256) with JSON eventPayload", async () => {
+    await expect(() =>
+      // @ts-expect-error
+      verify(secret, JSONeventPayload, signatureSHA256),
+    ).rejects.toThrow(
+      "[@octokit/webhooks-methods] eventPayload must be a string",
+    );
+  });
 });
 
 describe("verifyWithFallback", () => {