Merge pull request #46 from rubberduck-vba/webhook

retailcoder · web-flow · commit d0119a39c55e · 2025-02-05T12:59:17.000-05:00
Fix webhook auth: use HMACSHA256
diff --git a/rubberduckvba.Server/WebhookSignatureValidationService.cs b/rubberduckvba.Server/WebhookSignatureValidationService.cs
@@ -61,11 +61,13 @@ private bool IsValidSignature(string? signature, string payload)
         {
             return false;
         }
-        using var sha256 = SHA256.Create();
 
         var secret = configuration.GitHubOptions.Value.WebhookToken;
-        var bytes = Encoding.UTF8.GetBytes(secret + payload);
-        var check = $"sha256={Encoding.UTF8.GetString(sha256.ComputeHash(bytes))}";
+        var secretBytes = Encoding.UTF8.GetBytes(secret);
+        var payloadbytes = Encoding.UTF8.GetBytes(payload);
+
+        using var digest = new HMACSHA256(secretBytes);
+        var check = $"sha256={Encoding.UTF8.GetString(digest.ComputeHash(payloadbytes))}";
 
         return signature == check;
     }

Original file line number	Diff line number	Diff line change
`@@ -61,11 +61,13 @@ private bool IsValidSignature(string? signature, string payload)`
`61`	`61`	`{`
`62`	`62`	`return false;`
`63`	`63`	`}`
`64`		`- using var sha256 = SHA256.Create();`
`65`	`64`
`66`	`65`	`var secret = configuration.GitHubOptions.Value.WebhookToken;`
`67`		`- var bytes = Encoding.UTF8.GetBytes(secret + payload);`
`68`		`- var check = $"sha256={Encoding.UTF8.GetString(sha256.ComputeHash(bytes))}";`
	`66`	`+ var secretBytes = Encoding.UTF8.GetBytes(secret);`
	`67`	`+ var payloadbytes = Encoding.UTF8.GetBytes(payload);`
	`68`	`+`
	`69`	`+ using var digest = new HMACSHA256(secretBytes);`
	`70`	`+ var check = $"sha256={Encoding.UTF8.GetString(digest.ComputeHash(payloadbytes))}";`
`69`	`71`
`70`	`72`	`return signature == check;`
`71`	`73`	`}`