fix: Verify signature of payloads containing control characters (#102)

yakanechi · web-flow · commit bc7f7b2cc282 · 2025-09-30T12:51:06.000-07:00
diff --git a/index.js b/index.js
@@ -371,22 +371,23 @@ class BitbucketScm extends Scm {
      * necessary data to execute a Screwdriver job with.
      * @method parseHook
      * @param  {Object}  headers  The request headers associated with the webhook payload
-     * @param  {Object}  payload  The webhook payload received from the SCM service.
+     * @param  {String}  payload  The webhook payload received from the SCM service.
      * @return {Object}           A key-map of data related to the received payload
      */
     async _parseHook(headers, payload) {
+        const parsedPayload = JSON.parse(payload);
         const [typeHeader, actionHeader] = headers['x-event-key'].split(':');
         const parsed = {};
         const scmContexts = this._getScmContexts();
 
         parsed.hookId = headers['x-request-uuid'];
         parsed.scmContext = scmContexts[0];
 
-        if (hoek.reach(payload, 'repository.links.html.href') === undefined) {
+        if (hoek.reach(parsedPayload, 'repository.links.html.href') === undefined) {
             throwError('Invalid webhook payload', 400);
         }
 
-        const link = Url.parse(hoek.reach(payload, 'repository.links.html.href'));
+        const link = Url.parse(hoek.reach(parsedPayload, 'repository.links.html.href'));
         const checkoutUrl = `${link.protocol}//${link.hostname}${link.pathname}.git`;
 
         if (!`${link.hostname}${link.pathname}.git`.startsWith(this.hostname)) {
@@ -398,11 +399,11 @@ class BitbucketScm extends Scm {
                 if (actionHeader !== 'push') {
                     return null;
                 }
-                const changes = hoek.reach(payload, 'push.changes');
+                const changes = hoek.reach(parsedPayload, 'push.changes');
 
                 parsed.type = 'repo';
                 parsed.action = 'push';
-                parsed.username = hoek.reach(payload, 'actor.uuid');
+                parsed.username = hoek.reach(parsedPayload, 'actor.uuid');
                 parsed.checkoutUrl = checkoutUrl;
                 parsed.branch = hoek.reach(changes[0], 'new.name');
                 parsed.sha = hoek.reach(changes[0], 'new.target.hash');
@@ -422,14 +423,14 @@ class BitbucketScm extends Scm {
                 }
 
                 parsed.type = 'pr';
-                parsed.username = hoek.reach(payload, 'actor.uuid');
+                parsed.username = hoek.reach(parsedPayload, 'actor.uuid');
                 parsed.checkoutUrl = checkoutUrl;
-                parsed.branch = hoek.reach(payload, 'pullrequest.destination.branch.name');
-                parsed.sha = hoek.reach(payload, 'pullrequest.source.commit.hash');
-                parsed.prNum = hoek.reach(payload, 'pullrequest.id');
-                parsed.prRef = hoek.reach(payload, 'pullrequest.source.branch.name');
+                parsed.branch = hoek.reach(parsedPayload, 'pullrequest.destination.branch.name');
+                parsed.sha = hoek.reach(parsedPayload, 'pullrequest.source.commit.hash');
+                parsed.prNum = hoek.reach(parsedPayload, 'pullrequest.id');
+                parsed.prRef = hoek.reach(parsedPayload, 'pullrequest.source.branch.name');
 
-                const state = hoek.reach(payload, 'pullrequest.state');
+                const state = hoek.reach(parsedPayload, 'pullrequest.state');
 
                 parsed.prMerged = state === 'MERGED';
 
@@ -1065,7 +1066,7 @@ class BitbucketScm extends Scm {
      * Determine if a scm module can handle the received webhook
      * @method canHandleWebhook
      * @param  {Object}    headers     The request headers associated with the webhook payload
-     * @param  {Object}    payload     The webhook payload received from the SCM service
+     * @param  {String}    payload     The webhook payload received from the SCM service
      * @return {Promise}
      */
     _canHandleWebhook(headers, payload) {
diff --git a/test/index.test.js b/test/index.test.js
@@ -332,7 +332,9 @@ describe('index', function () {
                 'x-request-uuid': '1e8d4e8e-5fcf-4624-b091-b10bd6ecaf5e'
             };
 
-            return scm.parseHook(headers, testPayloadOpen).then(result => assert.deepEqual(result, expected));
+            return scm
+                .parseHook(headers, JSON.stringify(testPayloadOpen))
+                .then(result => assert.deepEqual(result, expected));
         });
 
         it('resolves the correct parsed config for sync PR (ammending commit)', () => {
@@ -354,7 +356,9 @@ describe('index', function () {
                 'x-request-uuid': '1e8d4e8e-5fcf-4624-b091-b10bd6ecaf5e'
             };
 
-            return scm.parseHook(headers, testPayloadSync).then(result => assert.deepEqual(result, expected));
+            return scm
+                .parseHook(headers, JSON.stringify(testPayloadSync))
+                .then(result => assert.deepEqual(result, expected));
         });
 
         it('resolves the correct parsed config for closed PR after merged', () => {
@@ -376,7 +380,9 @@ describe('index', function () {
                 'x-request-uuid': '1e8d4e8e-5fcf-4624-b091-b10bd6ecaf5e'
             };
 
-            return scm.parseHook(headers, testPayloadClose).then(result => assert.deepEqual(result, expected));
+            return scm
+                .parseHook(headers, JSON.stringify(testPayloadClose))
+                .then(result => assert.deepEqual(result, expected));
         });
 
         it('resolves the correct parsed config for closed PR after declined', () => {
@@ -398,7 +404,9 @@ describe('index', function () {
                 'x-request-uuid': '1e8d4e8e-5fcf-4624-b091-b10bd6ecaf5e'
             };
 
-            return scm.parseHook(headers, testPayloadClose).then(result => assert.deepEqual(result, expected));
+            return scm
+                .parseHook(headers, JSON.stringify(testPayloadClose))
+                .then(result => assert.deepEqual(result, expected));
         });
 
         it('resolves the correct parsed config for push to repo event', () => {
@@ -418,31 +426,39 @@ describe('index', function () {
                 'x-request-uuid': '1e8d4e8e-5fcf-4624-b091-b10bd6ecaf5e'
             };
 
-            return scm.parseHook(headers, testPayloadPush).then(result => assert.deepEqual(result, expected));
+            return scm
+                .parseHook(headers, JSON.stringify(testPayloadPush))
+                .then(result => assert.deepEqual(result, expected));
         });
 
         it('resolves null if events are not supported: repoFork', () => {
             const repoFork = {
                 'x-event-key': 'repo:fork'
             };
 
-            return scm.parseHook(repoFork, testPayloadFork).then(result => assert.deepEqual(result, null));
+            return scm
+                .parseHook(repoFork, JSON.stringify(testPayloadFork))
+                .then(result => assert.deepEqual(result, null));
         });
 
         it('resolves null if events are not supported: prComment', () => {
             const prComment = {
                 'x-event-key': 'pullrequest:comment_created'
             };
 
-            return scm.parseHook(prComment, testPayloadPrCommentCreate).then(result => assert.deepEqual(result, null));
+            return scm
+                .parseHook(prComment, JSON.stringify(testPayloadPrCommentCreate))
+                .then(result => assert.deepEqual(result, null));
         });
 
         it('resolves null if events are not supported: issueCreated', () => {
             const issueCreated = {
                 'x-event-key': 'issue:created'
             };
 
-            return scm.parseHook(issueCreated, testPayloadIssueCreate).then(result => assert.deepEqual(result, null));
+            return scm
+                .parseHook(issueCreated, JSON.stringify(testPayloadIssueCreate))
+                .then(result => assert.deepEqual(result, null));
         });
     });
 
@@ -1861,47 +1877,47 @@ describe('index', function () {
         it('returns a true for a opened PR.', () => {
             headers['x-event-key'] = 'pullrequest:created';
 
-            return scm.canHandleWebhook(headers, testPayloadOpen).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadOpen)).then(result => {
                 assert.strictEqual(result, true);
             });
         });
 
         it('returns a true for a sync PR (ammending commit).', () => {
             headers['x-event-key'] = 'pullrequest:updated';
 
-            return scm.canHandleWebhook(headers, testPayloadSync).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadSync)).then(result => {
                 assert.isTrue(result);
             });
         });
 
         it('returns a true for closed PR after merged.', () => {
             headers['x-event-key'] = 'pullrequest:fullfilled';
 
-            return scm.canHandleWebhook(headers, testPayloadClose).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadClose)).then(result => {
                 assert.isTrue(result);
             });
         });
 
         it('returns a true for closed PR after declined.', () => {
             headers['x-event-key'] = 'pullrequest:rejected';
 
-            return scm.canHandleWebhook(headers, testPayloadClose).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadClose)).then(result => {
                 assert.isTrue(result);
             });
         });
 
         it('returns a true for a push event payload.', () => {
             headers['x-event-key'] = 'repo:push';
 
-            return scm.canHandleWebhook(headers, testPayloadPush).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadPush)).then(result => {
                 assert.isTrue(result);
             });
         });
 
         it('returns a true when _parseHook() returns null.', () => {
             headers['x-event-key'] = 'issue:created';
 
-            return scm.canHandleWebhook(headers, testPayloadPush).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadPush)).then(result => {
                 assert.isTrue(result);
             });
         });
@@ -1910,7 +1926,7 @@ describe('index', function () {
             // eslint-disable-next-line no-underscore-dangle
             scm._parseHook = () => Promise.reject(new Error('Test error'));
 
-            return scm.canHandleWebhook(headers, testPayloadPush).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadPush)).then(result => {
                 assert.strictEqual(result, false);
             });
         });
@@ -1919,7 +1935,7 @@ describe('index', function () {
             headers['x-event-key'] = 'repo:push';
             testPayloadPush.repository.links.html.href = 'https://github.com/batman/test';
 
-            return scm.canHandleWebhook(headers, testPayloadPush).then(result => {
+            return scm.canHandleWebhook(headers, JSON.stringify(testPayloadPush)).then(result => {
                 assert.isFalse(result);
             });
         });
