-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify Slack webhook tokens #776
base: develop
Are you sure you want to change the base?
Conversation
Signed-off-by: Tadeusz „tadzik” Sośnierz <tadeusz@sosnierz.com>
Signed-off-by: Tadeusz „tadzik” Sośnierz <tadeusz@sosnierz.com>
src/SlackHookHandler.ts
Outdated
@@ -85,7 +85,7 @@ export class SlackHookHandler extends BaseSlackHandler { | |||
} | |||
} | |||
|
|||
private onRequest(req: IncomingMessage, res: ServerResponse) { | |||
public _onRequest(req: IncomingMessage, res: ServerResponse) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems quite cheeky. If you're mocking stuff, why not hookHandler["onRequest"]
to get around the public/private check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Getting around the check seems dirtier to me, to be honest. I won't fight for it though, I'm fine with either.
src/SlackHookHandler.ts
Outdated
@@ -67,7 +67,7 @@ export class SlackHookHandler extends BaseSlackHandler { | |||
createServer = (cb) => httpsCreate(tlsOptions, cb); | |||
} | |||
return new Promise<void>((resolve, reject) => { | |||
const srv = createServer(this.onRequest.bind(this)); | |||
const srv = createServer(this._onRequest.bind(this)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a huge fan of the underscore prefix, smells like snakes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed in 2d97794?diff=unified&w=1
tests/integration/WebhookTest.ts
Outdated
let room = new BridgedRoom(harness.main as unknown as Main, { | ||
matrix_room_id: '!foo:bar.baz', | ||
inbound_id: randomstring.generate(32), | ||
slack_webhook_token: randomstring.generate(24), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about no token at all :). Or null, or true
etc etc :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a few more in tadzik@4d312a3?diff=unified&w=1 :)
@@ -0,0 +1 @@ | |||
Verify Slack webhook tokens. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I figured bugfix
is the closest this comes to, since it was arguably a bug that we never did this before.
This will unfortunately require relinking all existing channels that use webhooks.
I pondered making this optional, but in the spirit of being secure by default, it's probably best if we mandate this.
Existing rooms will have to be unlinked and linked again (or have their database entries updated manually).
This also increases SlackHookHandler's test coverage by ~18% (from 9.39% to 27.51%) :)