fix: remove sha1 algorithm

Author: Uzlopak

src/node/sign.ts

@@ -1,34 +1,17 @@
 import { createHmac } from "crypto";
-import { Algorithm, type SignOptions } from "../types";
 import { VERSION } from "../version";
 
 export async function sign(
-  options: SignOptions | string,
+  secret: string | Buffer,
   payload: string,
 ): Promise<string> {
-  const { secret, algorithm } =
-    typeof options === "object"
-      ? {
-          secret: options.secret,
-          algorithm: options.algorithm || Algorithm.SHA256,
-        }
-      : { secret: options, algorithm: Algorithm.SHA256 };
-
   if (!secret || !payload) {
     throw new TypeError(
       "[@octokit/webhooks-methods] secret & payload required for sign()",
     );
   }
 
-  if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
-    throw new TypeError(
-      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be  'sha1' or 'sha256'`,
-    );
-  }
-
-  return `${algorithm}=${createHmac(algorithm, secret)
-    .update(payload)
-    .digest("hex")}`;
+  return `sha256=${createHmac("sha256", secret).update(payload).digest("hex")}`;
 }
 
 sign.VERSION = VERSION;

src/node/verify.ts

@@ -1,12 +1,11 @@
-import { timingSafeEqual } from "crypto";
+import { createHmac, timingSafeEqual } from "crypto";
 import { Buffer } from "buffer";
 
-import { sign } from "./sign";
 import { VERSION } from "../version";
-import { getAlgorithm } from "../utils";
+import { isValidSignaturePrefix } from "../utils";
 
 export async function verify(
-  secret: string,
+  secret: string | Buffer,
   eventPayload: string,
   signature: string,
 ): Promise<boolean> {
@@ -16,17 +15,19 @@ export async function verify(
     );
   }
 
-  const signatureBuffer = Buffer.from(signature);
-  const algorithm = getAlgorithm(signature);
-
-  const verificationBuffer = Buffer.from(
-    await sign({ secret, algorithm }, eventPayload),
-  );
+  if (isValidSignaturePrefix(signature) === false) {
+    return false;
+  }
+  const signatureBuffer = Buffer.from(signature.slice(7), "hex");
 
-  if (signatureBuffer.length !== verificationBuffer.length) {
+  if (signatureBuffer.length !== 32) {
     return false;
   }
 
+  const verificationBuffer = Buffer.from(
+    createHmac("sha256", secret).update(eventPayload).digest(),
+  );
+
   // constant time comparison to prevent timing attacks
   // https://stackoverflow.com/a/31096242/206879
   // https://en.wikipedia.org/wiki/Timing_attack

src/types.ts

@@ -1,11 +1,3 @@
-export enum Algorithm {
-  SHA1 = "sha1",
-  SHA256 = "sha256",
-}
-
-export type AlgorithmLike = Algorithm | "sha1" | "sha256";
-
 export type SignOptions = {
   secret: string;
-  algorithm?: AlgorithmLike;
 };

src/utils.ts

@@ -1,3 +1,12 @@
-export const getAlgorithm = (signature: string) => {
-  return signature.startsWith("sha256=") ? "sha256" : "sha1";
+export const isValidSignaturePrefix = (signature: string) => {
+  return (
+    signature.length === 71 &&
+    signature[0] === "s" &&
+    signature[1] === "h" &&
+    signature[2] === "a" &&
+    signature[3] === "2" &&
+    signature[4] === "5" &&
+    signature[5] === "6" &&
+    signature[6] === "="
+  );
 };

src/web.ts

@@ -1,5 +1,4 @@
-import { Algorithm, type AlgorithmLike, type SignOptions } from "./types";
-import { getAlgorithm } from "./utils";
+import { type SignOptions } from "./types";
 
 const enc = new TextEncoder();
 
@@ -21,24 +20,15 @@ function UInt8ArrayToHex(signature: ArrayBuffer) {
     .join("");
 }
 
-function getHMACHashName(algorithm: AlgorithmLike) {
-  return (
-    {
-      [Algorithm.SHA1]: "SHA-1",
-      [Algorithm.SHA256]: "SHA-256",
-    } as { [key in Algorithm]: string }
-  )[algorithm];
-}
-
-async function importKey(secret: string, algorithm: AlgorithmLike) {
+async function importKey(secret: string) {
   // ref: https://developer.mozilla.org/en-US/docs/Web/API/HmacImportParams
   return crypto.subtle.importKey(
     "raw", // raw format of the key - should be Uint8Array
     enc.encode(secret),
     {
       // algorithm details
       name: "HMAC",
-      hash: { name: getHMACHashName(algorithm) },
+      hash: { name: "SHA-256" },
     },
     false, // export = false
     ["sign", "verify"], // what this key can do
@@ -50,25 +40,19 @@ export async function sign(options: SignOptions | string, payload: string) {
     typeof options === "object"
       ? {
           secret: options.secret,
-          algorithm: options.algorithm || Algorithm.SHA256,
+          algorithm: "sha256",
         }
-      : { secret: options, algorithm: Algorithm.SHA256 };
+      : { secret: options, algorithm: "sha256" };
 
   if (!secret || !payload) {
     throw new TypeError(
       "[@octokit/webhooks-methods] secret & payload required for sign()",
     );
   }
 
-  if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
-    throw new TypeError(
-      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be  'sha1' or 'sha256'`,
-    );
-  }
-
   const signature = await crypto.subtle.sign(
     "HMAC",
-    await importKey(secret, algorithm),
+    await importKey(secret),
     enc.encode(payload),
   );
 
@@ -86,11 +70,10 @@ export async function verify(
     );
   }
 
-  const algorithm = getAlgorithm(signature);
   return await crypto.subtle.verify(
     "HMAC",
-    await importKey(secret, algorithm),
-    hexToUInt8Array(signature.replace(`${algorithm}=`, "")),
+    await importKey(secret),
+    hexToUInt8Array(signature.replace(`sha256=`, "")),
     enc.encode(eventPayload),
   );
 }

test/sign.test.ts

@@ -35,46 +35,24 @@ describe("sign", () => {
     );
   });
 
-  test("sign({secret, algorithm}) throws with invalid algorithm", async () => {
-    await expect(() =>
-      // @ts-expect-error
-      sign({ secret, algorithm: "sha2" }, eventPayload),
-    ).rejects.toThrow(
-      "[@octokit/webhooks] Algorithm sha2 is not supported. Must be  'sha1' or 'sha256'",
-    );
-  });
-
-  describe("with eventPayload as string", () => {
-    describe("returns expected sha1 signature", () => {
+  describe("with secret as Buffer", () => {
+    describe("returns expected sha256 signature", () => {
       test("sign(secret, eventPayload)", async () => {
-        const signature = await sign(secret, JSON.stringify(eventPayload));
-        expect(signature).toBe(
-          "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
+        const signature = await sign(
+          Buffer.from(secret),
+          JSON.stringify(eventPayload),
         );
-      });
-
-      test("sign({secret}, eventPayload)", async () => {
-        const signature = await sign({ secret }, JSON.stringify(eventPayload));
         expect(signature).toBe(
           "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
         );
       });
-
-      test("sign({secret, algorithm: 'sha1'}, eventPayload)", async () => {
-        const signature = await sign(
-          { secret, algorithm: "sha1" },
-          JSON.stringify(eventPayload),
-        );
-        expect(signature).toBe("sha1=d03207e4b030cf234e3447bac4d93add4c6643d8");
-      });
     });
+  });
 
+  describe("with eventPayload as string", () => {
     describe("returns expected sha256 signature", () => {
-      test("sign({secret, algorithm: 'sha256'}, eventPayload)", async () => {
-        const signature = await sign(
-          { secret, algorithm: "sha256" },
-          JSON.stringify(eventPayload),
-        );
+      test("sign(secret, eventPayload)", async () => {
+        const signature = await sign(secret, JSON.stringify(eventPayload));
         expect(signature).toBe(
           "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
         );

test/verify.test.ts

@@ -10,8 +10,7 @@ function toNormalizedJsonString(payload: object) {
 
 const eventPayload = toNormalizedJsonString({ foo: "bar" });
 const secret = "mysecret";
-const signatureSHA1 = "sha1=640c0ea7402a3f74e1767338fa2dba243b1f2d9c";
-const signatureSHA256 =
+const signature =
   "sha256=e3eccac34c43c7dc1cbb905488b1b81347fcc700a7b025697a9d07862256023f";
 
 describe("verify", () => {
@@ -51,69 +50,40 @@ describe("verify", () => {
     );
   });
 
-  test("verify(secret, eventPayload, signatureSHA1) returns true for correct signature", async () => {
-    const signatureMatches = await verify(secret, eventPayload, signatureSHA1);
+  test("verify(secret, eventPayload, signature) returns true for correct signature", async () => {
+    const signatureMatches = await verify(secret, eventPayload, signature);
     expect(signatureMatches).toBe(true);
   });
 
-  test("verify(secret, eventPayload, signatureSHA1) returns false for incorrect signature", async () => {
-    const signatureMatches = await verify(secret, eventPayload, "foo");
-    expect(signatureMatches).toBe(false);
-  });
-
-  test("verify(secret, eventPayload, signatureSHA1) returns false for correct secret", async () => {
-    const signatureMatches = await verify("foo", eventPayload, signatureSHA1);
-    expect(signatureMatches).toBe(false);
-  });
-
-  test("verify(secret, eventPayload, signatureSHA1) returns true if eventPayload contains special characters (#71)", async () => {
-    // https://github.com/octokit/webhooks.js/issues/71
-    const signatureMatchesLowerCaseSequence = await verify(
-      "development",
-      toNormalizedJsonString({
-        foo: "Foo\n\u001b[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001b[0m\u001b[2K",
-      }),
-      "sha1=82a91c5aacc9cdc2eea893bc828bd03d218df79c",
-    );
-    expect(signatureMatchesLowerCaseSequence).toBe(true);
-    const signatureMatchesUpperCaseSequence = await verify(
-      "development",
-      toNormalizedJsonString({
-        foo: "Foo\n\u001B[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001B[0m\u001B[2K",
-      }),
-      "sha1=82a91c5aacc9cdc2eea893bc828bd03d218df79c",
-    );
-    expect(signatureMatchesUpperCaseSequence).toBe(true);
-    const signatureMatchesEscapedSequence = await verify(
-      "development",
-      toNormalizedJsonString({
-        foo: "\\u001b",
-      }),
-      "sha1=bdae4705bdd827d026bb227817ca025b5b3a6756",
+  test("verify(secret, eventPayload, signature) returns true for secret provided as Buffer", async () => {
+    const signatureMatches = await verify(
+      Buffer.from(secret),
+      eventPayload,
+      signature,
     );
-    expect(signatureMatchesEscapedSequence).toBe(true);
+    expect(signatureMatches).toBe(true);
   });
 
-  test("verify(secret, eventPayload, signatureSHA256) returns true for correct signature", async () => {
+  test("verify(secret, eventPayload, signature) returns false for incorrect signature", async () => {
     const signatureMatches = await verify(
       secret,
       eventPayload,
-      signatureSHA256,
+      "sha256=xxxccac34c43c7dc1cbb905488b1b81347fcc700a7b025697a9d07862256023f",
     );
-    expect(signatureMatches).toBe(true);
+    expect(signatureMatches).toBe(false);
   });
 
-  test("verify(secret, eventPayload, signatureSHA256) returns false for incorrect signature", async () => {
+  test("verify(secret, eventPayload, signature) returns false for incorrect signature", async () => {
     const signatureMatches = await verify(secret, eventPayload, "foo");
     expect(signatureMatches).toBe(false);
   });
 
-  test("verify(secret, eventPayload, signatureSHA256) returns false for incorrect secret", async () => {
-    const signatureMatches = await verify("foo", eventPayload, signatureSHA256);
+  test("verify(secret, eventPayload, signature) returns false for incorrect secret", async () => {
+    const signatureMatches = await verify("foo", eventPayload, signature);
     expect(signatureMatches).toBe(false);
   });
 
-  test("verify(secret, eventPayload, signatureSHA256) returns true if eventPayload contains special characters (#71)", async () => {
+  test("verify(secret, eventPayload, signature) returns true if eventPayload contains special characters (#71)", async () => {
     // https://github.com/octokit/webhooks.js/issues/71
     const signatureMatchesLowerCaseSequence = await verify(
       "development",
@@ -147,31 +117,31 @@ describe("verifyWithFallback", () => {
     expect(verifyWithFallback).toBeInstanceOf(Function);
   });
 
-  test("verifyWithFallback(secret, eventPayload, signatureSHA256, [bogus]) returns true", async () => {
+  test("verifyWithFallback(secret, eventPayload, signature, [bogus]) returns true", async () => {
     const signatureMatches = await verifyWithFallback(
       secret,
       eventPayload,
-      signatureSHA256,
+      signature,
       ["foo"],
     );
     expect(signatureMatches).toBe(true);
   });
 
-  test("verifyWithFallback(bogus, eventPayload, signatureSHA256, [secret]) returns true", async () => {
+  test("verifyWithFallback(bogus, eventPayload, signature, [secret]) returns true", async () => {
     const signatureMatches = await verifyWithFallback(
       "foo",
       eventPayload,
-      signatureSHA256,
+      signature,
       [secret],
     );
     expect(signatureMatches).toBe(true);
   });
 
-  test("verify(bogus, eventPayload, signatureSHA256, [bogus]) returns false", async () => {
+  test("verify(bogus, eventPayload, signature, [bogus]) returns false", async () => {
     const signatureMatches = await verifyWithFallback(
       "foo",
       eventPayload,
-      signatureSHA256,
+      signature,
       ["foo"],
     );
     expect(signatureMatches).toBe(false);