‘verify’ should not detect the algorithm from the unverified signature #39
Labels
Status: Up for grabs
Issues that are ready to be worked on by anyone
Type: Bug
Something isn't working as documented
Projects
Although HMAC-SHA1 is still believed to be secure at this time, if the point of GitHub’s migration from HMAC-SHA1 to HMAC-SHA256 was to guard against potential future weaknesses in HMAC-SHA1, that point is entirely negated when an attacker can force a signature to be treated as HMAC-SHA1 simply by starting it with
sha1=
.webhooks-methods.js/src/node/verify.ts
Lines 7 to 9 in 3fdcecf
To fix this, the
verify
API needs to be changed to take the expected algorithm as a parameter, rather than detecting it from the unverified signature string.The text was updated successfully, but these errors were encountered: