vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-26 17:32:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Hardening: require LINE webhook signatures (#44090)

Browse Source 
* LINE: require webhook signatures in express handler

* LINE: require webhook signatures in node handler

* LINE: update express signature tests

* LINE: update node signature tests

* Changelog: note LINE webhook hardening

* LINE: validate signatures before parsing webhook bodies

* LINE: reject missing signatures before body reads
This commit is contained in:
Vincent Koc
2026-03-12 10:50:36 -04:00
committed by GitHub
parent c965049dc6
commit 48cbfdfac0
6 changed files with 60 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/line/webhook-node.test.ts
View File

@@ -86,13 +86,26 @@ describe("createLineNodeWebhookHandler", () => {
expect(res.body).toBeUndefined();
});
it("returns 200 for verification request (empty events, no signature)", async () => {
it("rejects verification-shaped requests without a signature", async () => {
const rawBody = JSON.stringify({ events: [] });
const { bot, handler } = createPostWebhookTestHarness(rawBody);
const { res, headers } = createRes();
await handler({ method: "POST", headers: {} } as unknown as IncomingMessage, res);
expect(res.statusCode).toBe(400);
expect(headers["content-type"]).toBe("application/json");
expect(res.body).toBe(JSON.stringify({ error: "Missing X-Line-Signature header" }));
expect(bot.handleWebhook).not.toHaveBeenCalled();
});
it("accepts signed verification-shaped requests without dispatching events", async () => {
const rawBody = JSON.stringify({ events: [] });
const { bot, handler, secret } = createPostWebhookTestHarness(rawBody);
const { res, headers } = createRes();
await runSignedPost({ handler, rawBody, secret, res });
expect(res.statusCode).toBe(200);
expect(headers["content-type"]).toBe("application/json");
expect(res.body).toBe(JSON.stringify({ status: "ok" }));
@@ -121,13 +134,10 @@ describe("createLineNodeWebhookHandler", () => {
expect(bot.handleWebhook).not.toHaveBeenCalled();
});
it("uses a tight body-read limit for unsigned POST requests", async () => {
it("rejects unsigned POST requests before reading the body", async () => {
const bot = { handleWebhook: vi.fn(async () => {}) };
const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
const readBody = vi.fn(async (_req: IncomingMessage, maxBytes: number) => {
expect(maxBytes).toBe(4096);
return JSON.stringify({ events: [{ type: "message" }] });
});
const readBody = vi.fn(async () => JSON.stringify({ events: [{ type: "message" }] }));
const handler = createLineNodeWebhookHandler({
channelSecret: "secret",
bot,
@@ -139,7 +149,7 @@ describe("createLineNodeWebhookHandler", () => {
await handler({ method: "POST", headers: {} } as unknown as IncomingMessage, res);
expect(res.statusCode).toBe(400);
expect(readBody).toHaveBeenCalledTimes(1);
expect(readBody).not.toHaveBeenCalled();
expect(bot.handleWebhook).not.toHaveBeenCalled();
});