vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-01 11:00:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

security(line): cap unsigned webhook body read budget

Browse Source
This commit is contained in:
Brian Mendonca
2026-02-24 21:22:36 -07:00
committed by Peter Steinberger
parent 107bda27c9
commit 19d2a8998b
2 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/line/webhook-node.test.ts
View File

@@ -104,6 +104,28 @@ describe("createLineNodeWebhookHandler", () => {
expect(bot.handleWebhook).not.toHaveBeenCalled();
});
it("uses a tight body-read limit for unsigned POST requests", async () => {
const bot = { handleWebhook: vi.fn(async () => {}) };
const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
const readBody = vi.fn(async (_req: IncomingMessage, maxBytes: number) => {
expect(maxBytes).toBe(4096);
return JSON.stringify({ events: [{ type: "message" }] });
});
const handler = createLineNodeWebhookHandler({
channelSecret: "secret",
bot,
runtime,
readBody,
});
const { res } = createRes();
await handler({ method: "POST", headers: {} } as unknown as IncomingMessage, res);
expect(res.statusCode).toBe(400);
expect(readBody).toHaveBeenCalledTimes(1);
expect(bot.handleWebhook).not.toHaveBeenCalled();
});
it("rejects invalid signature", async () => {
const rawBody = JSON.stringify({ events: [{ type: "message" }] });
const { bot, handler } = createPostWebhookTestHarness(rawBody);