verify: does not gracefully handle invalid signatures #80
Comments
|
Thanks for reporting this! Just to clarify, do the example values you provided in your issue trigger this error? (I haven't had a chance to test yet.) Would you be open to making a PR to fix this? I'd be happy to review your contribution! |
yes I think any signature that starts with something other 2 or more non-hex characters will reproduce |
|
I'll see if I have time to make a PR sometime today or tomorrow |
|
Looks like a Deno error to me, I cannot reproduce it with Node. Tested with Node v18.8.0 and v16.17.0. Unfortunately the libraries are not native ESM yet, Deno is using a built version of the code base served from skypack.dev, the build step might also be the culprit here. |
|
I see there are some browser tests. We can confirm if it is broken by adding additional test cases there first. |
|
The browser version is completely independent of the node implementation. In fact, I think the browser version has some other behavior differences too. e.g. I have to strip "sha256=" from the signature before passing it into |
|
It might be worthwhile to write the browser/web tests in Deno. Any concerns with me dropping puppeteer in favor of Deno here? |
|
why not both? Maybe start a PR with Deno tests, without removing the existing tests, and we take it from there? |
- configure devcontainer: - image: default + Deno - extensions: +Deno +Prettier - Deno extension: only enabled for Deno test files - configure Deno to ignore Jest tests - configure Jest to ignore Deno tests - add simple `sign` and `verify` Deno tests (more can be added later) Refs octokit#80
|
initial Deno tests PR: #81 |
|
I think the proper thing to do is to catch these errors and handle them in your own code. We are switching to outputting ESM in the next major version, which should help out with these things |
What happened?
An invalid signature was sent in a request and my server returned a 500, Internal Server Error, due to
verifyrejecting with aTypeError:What did you expect to happen?
For
verifyto resolve tofalse.What the problem might be
verifydoes not validate the format of the signature before attempting to iterate over character pairs (e.g./^[\dA-F]{64}$/i)The text was updated successfully, but these errors were encountered: