fix: only parse payload once (#921)

octokit · Nov 16, 2023 · a12200f · a12200f
1 parent cc836d0
commit a12200f
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 15 deletions.
diff --git a/src/middleware/node/get-payload.ts b/src/middleware/node/get-payload.ts
@@ -25,16 +25,6 @@ export function getPayload(request: IncomingMessage): Promise<string> {
     // istanbul ignore next
     request.on("error", (error: Error) => reject(new AggregateError([error])));
     request.on("data", (chunk: string) => (data += chunk));
-    request.on("end", () => {
-      try {
-        // Call JSON.parse() only to check if the payload is valid JSON
-        JSON.parse(data);
-        resolve(data);
-      } catch (error: any) {
-        error.message = "Invalid JSON";
-        error.status = 400;
-        reject(new AggregateError([error]));
-      }
-    });
+    request.on("end", () => resolve(data));
   });
 }
diff --git a/src/verify-and-receive.ts b/src/verify-and-receive.ts
@@ -1,14 +1,16 @@
+import AggregateError from "aggregate-error";
 import { verify } from "@octokit/webhooks-methods";
 
 import type {
+  EmitterWebhookEvent,
   EmitterWebhookEventWithStringPayloadAndSignature,
   State,
 } from "./types";
 
 export async function verifyAndReceive(
   state: State & { secret: string },
   event: EmitterWebhookEventWithStringPayloadAndSignature,
-): Promise<any> {
+): Promise<void> {
   // verify will validate that the secret is not undefined
   const matchesSignature = await verify(
     state.secret,
@@ -26,9 +28,18 @@ export async function verifyAndReceive(
     );
   }
 
+  let payload: EmitterWebhookEvent["payload"];
+  try {
+    payload = JSON.parse(event.payload);
+  } catch (error: any) {
+    error.message = "Invalid JSON";
+    error.status = 400;
+    throw new AggregateError([error]);
+  }
+
   return state.eventHandler.receive({
     id: event.id,
     name: event.name,
-    payload: JSON.parse(event.payload),
+    payload,
   });
 }
diff --git a/test/integration/node-middleware.test.ts b/test/integration/node-middleware.test.ts
@@ -178,6 +178,8 @@ describe("createNodeMiddleware(webhooks)", () => {
     // @ts-expect-error complains about { port } although it's included in returned AddressInfo interface
     const { port } = server.address();
 
+    const payload = '{"name":"invalid"';
+
     const response = await fetch(
       `http://localhost:${port}/api/github/webhooks`,
       {
@@ -186,9 +188,9 @@ describe("createNodeMiddleware(webhooks)", () => {
           "Content-Type": "application/json",
           "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
           "X-GitHub-Event": "push",
-          "X-Hub-Signature-256": signatureSha256,
+          "X-Hub-Signature-256": await sign("mySecret", payload),
         },
-        body: "invalid",
+        body: payload,
       },
     );