vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-22 06:32:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

security(line): cap unsigned webhook body read budget

Browse Source
This commit is contained in:
Brian Mendonca
2026-02-24 21:22:36 -07:00
committed by Peter Steinberger
parent 107bda27c9
commit 19d2a8998b
2 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/line/webhook-node.test.ts
View File

@@ -104,6 +104,28 @@ describe("createLineNodeWebhookHandler", () => {
expect(bot.handleWebhook).not.toHaveBeenCalled();
});
it("uses a tight body-read limit for unsigned POST requests", async () => {
const bot = { handleWebhook: vi.fn(async () => {}) };
const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
const readBody = vi.fn(async (_req: IncomingMessage, maxBytes: number) => {
expect(maxBytes).toBe(4096);
return JSON.stringify({ events: [{ type: "message" }] });
});
const handler = createLineNodeWebhookHandler({
channelSecret: "secret",
bot,
runtime,
readBody,
});
const { res } = createRes();
await handler({ method: "POST", headers: {} } as unknown as IncomingMessage, res);
expect(res.statusCode).toBe(400);
expect(readBody).toHaveBeenCalledTimes(1);
expect(bot.handleWebhook).not.toHaveBeenCalled();
});
it("rejects invalid signature", async () => {
const rawBody = JSON.stringify({ events: [{ type: "message" }] });
const { bot, handler } = createPostWebhookTestHarness(rawBody);

17
src/line/webhook-node.ts
View File

@@ -11,6 +11,7 @@ import { validateLineSignature } from "./signature.js";
import { isLineWebhookVerificationRequest, parseLineWebhookBody } from "./webhook-utils.js";
const LINE_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024;
const LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES = 4 * 1024;
const LINE_WEBHOOK_BODY_TIMEOUT_MS = 30_000;
export async function readLineWebhookRequestBody(
@@ -54,8 +55,18 @@ export function createLineNodeWebhookHandler(params: {
}
try {
const rawBody = await readBody(req, maxBodyBytes);
const signature = req.headers["x-line-signature"];
const signatureHeader = req.headers["x-line-signature"];
const signature =
typeof signatureHeader === "string"
? signatureHeader
: Array.isArray(signatureHeader)
? signatureHeader[0]
: undefined;
const hasSignature = typeof signature === "string" && signature.trim().length > 0;
const bodyLimit = hasSignature
? maxBodyBytes
: Math.min(maxBodyBytes, LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES);
const rawBody = await readBody(req, bodyLimit);
// Parse once; we may need it for verification requests and for event processing.
const body = parseLineWebhookBody(rawBody);
@@ -63,7 +74,7 @@ export function createLineNodeWebhookHandler(params: {
// LINE webhook verification sends POST {"events":[]} without a
// signature header. Return 200 so the LINE Developers Console
// "Verify" button succeeds.
if (!signature || typeof signature !== "string") {
if (!hasSignature) {
if (isLineWebhookVerificationRequest(body)) {
logVerbose("line: webhook verification request (empty events, no signature) - 200 OK");
res.statusCode = 200;