Skip to content

Commit

Permalink
updated to check against 'Signature-256' request header (fixes #47)
Browse files Browse the repository at this point in the history
  • Loading branch information
tejashah88 committed Jan 10, 2024
1 parent 48dfece commit 24de7ae
Show file tree
Hide file tree
Showing 8 changed files with 1,957 additions and 1,132 deletions.
10 changes: 9 additions & 1 deletion .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,22 @@ jobs:
# The type of runner that the job will run on
runs-on: ubuntu-latest

# Specify which node versions should this module be tested against
strategy:
matrix:
node-version: [ 12, 14, 16, 18, 20 ]

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}

# Runs a single command using the runners shell
- name: setup
run: npm install
run: npm ci

# Runs a single command using the runners shell
- name: tests
Expand Down
93 changes: 89 additions & 4 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
lerna-debug.log*
.pnpm-debug.log*

# Diagnostic reports (https://nodejs.org/api/report.html)
report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json

# Runtime data
pids
Expand All @@ -14,29 +21,48 @@ lib-cov

# Coverage directory used by tools like istanbul
coverage
*.lcov

# nyc test coverage
.nyc_output

# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
.grunt

# Bower dependency directory (https://bower.io/)
bower_components

# node-waf configuration
.lock-wscript

# Compiled binary addons (http://nodejs.org/api/addons.html)
# Compiled binary addons (https://nodejs.org/api/addons.html)
build/Release

# Dependency directories
node_modules
jspm_packages
node_modules/
jspm_packages/

# Snowpack dependency directory (https://snowpack.dev/)
web_modules/

# TypeScript cache
*.tsbuildinfo

# Optional npm cache directory
.npm

# Optional eslint cache
.eslintcache

# Optional stylelint cache
.stylelintcache

# Microbundle cache
.rpt2_cache/
.rts2_cache_cjs/
.rts2_cache_es/
.rts2_cache_umd/

# Optional REPL history
.node_repl_history

Expand All @@ -46,3 +72,62 @@ jspm_packages
# Yarn Integrity file
.yarn-integrity

# dotenv environment variable files
.env
.env.development.local
.env.test.local
.env.production.local
.env.local

# parcel-bundler cache (https://parceljs.org/)
.cache
.parcel-cache

# Next.js build output
.next
out

# Nuxt.js build / generate output
.nuxt
dist

# Gatsby files
.cache/
# Comment in the public line in if your project uses Gatsby and not Next.js
# https://nextjs.org/blog/next-9-1#public-directory-support
# public

# vuepress build output
.vuepress/dist

# vuepress v2.x temp and cache directory
.temp
.cache

# Docusaurus cache and generated files
.docusaurus

# Serverless directories
.serverless/

# FuseBox cache
.fusebox/

# DynamoDB Local files
.dynamodb/

# TernJS port file
.tern-port

# Stores VSCode versions used for testing VSCode extensions
.vscode-test

# yarn v2
.yarn/cache
.yarn/unplugged
.yarn/build-state.yml
.yarn/install-state.gz
.pnp.*

# node-TAP generated files
.tap
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 3.0.0
* BREAKING: Updated to check against SHA-256 signature of request body (#47)


## 2.0.3
* Remediates CVE-2021-3765

Expand Down
5 changes: 3 additions & 2 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ export default function alexaVerifierMiddleware (req, res, next) {
// other body parser middlewares
req._body = true
req.rawBody = ''

req.on('data', function (data) {
return req.rawBody += data
})
Expand All @@ -33,8 +34,8 @@ export default function alexaVerifierMiddleware (req, res, next) {
req.body = { }
}

certUrl = req.headers.signaturecertchainurl
signature = req.headers.signature
certUrl = req.headers['signaturecertchainurl']
signature = req.headers['signature-256']

verifier(certUrl, signature, req.rawBody, function (er) {
if (er)
Expand Down
Loading

0 comments on commit 24de7ae

Please sign in to comment.