Add length check to github signature

Signed-off-by: AdamKorcz <[email protected]>
go-playground · Nov 18, 2023 · 34f4b9b · 34f4b9b
1 parent c3b1a44
commit 34f4b9b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/github/github.go b/github/github.go
@@ -20,6 +20,7 @@ var (
 	ErrEventNotFound             = errors.New("event not defined to be parsed")
 	ErrParsingPayload            = errors.New("error parsing payload")
 	ErrHMACVerificationFailed    = errors.New("HMAC verification failed")
+	ErrWrongHubSignatureHeader   = errors.New("Invalid Github signature")
 )
 
 // Event defines a GitHub hook event type
@@ -163,6 +164,9 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 		if len(signature) == 0 {
 			return nil, ErrMissingHubSignatureHeader
 		}
+		if len(signature) < 6 {
+			return nil, ErrWrongHubSignatureHeader
+		}
 		mac := hmac.New(sha1.New, []byte(hook.secret))
 		_, _ = mac.Write(payload)
 		expectedMAC := hex.EncodeToString(mac.Sum(nil))