GitHub Code Scanning Alerts on hub.challenge when using Express.js

We are implementing a [subscriber](https://github.com/builders-club/number-one/blob/65ea5703ba94d40ee60c8578ca28defe96fcfdf2/src/webhooks/index.ts#L73-L73) to the Twitch.tv API. The GitHub Code Scanning system flags it as a [CWE-79](https://cwe.mitre.org/data/definitions/79.html) and [CWE-116](https://cwe.mitre.org/data/definitions/79.html) violation.

It suggests escaping the value like this:

```javascript
response.status(200).send(escape(request.query['hub.challenge']));
```
Section 5.3.1 Verification Details says that the subscriber MUST respond with a status of 200 and response body equal to the `hub.challenge` value. It does not offer a format for the `hub.challenge` value. Escaping it could alter the value in a way that makes it unacceptable to the hub.

I suspect in implementation that it is just a hash, but it is not a part of the spec so cannot be relied on.

Tracking here: builders-club/number-one#76

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

GitHub Code Scanning Alerts on hub.challenge when using Express.js #167

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

GitHub Code Scanning Alerts on hub.challenge when using Express.js #167

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions