Add length check to github signature

Signed-off-by: AdamKorcz <[email protected]>

Author: AdamKorcz

github/github.go

@@ -21,6 +21,7 @@ var (
 	ErrEventNotFound             = errors.New("event not defined to be parsed")
 	ErrParsingPayload            = errors.New("error parsing payload")
 	ErrHMACVerificationFailed    = errors.New("HMAC verification failed")
+	ErrWrongHubSignatureHeader   = errors.New("Invalid Github signature")
 )
 
 // Event defines a GitHub hook event type
@@ -166,7 +167,9 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 		}
 
 		signature = strings.TrimPrefix(signature, "sha256=")
-
+		if len(signature) < 6 {
+			return nil, ErrWrongHubSignatureHeader
+		}
 		mac := hmac.New(sha256.New, []byte(hook.secret))
 		_, _ = mac.Write(payload)
 		expectedMAC := hex.EncodeToString(mac.Sum(nil))

github/github_test.go

@@ -58,6 +58,15 @@ func TestBadRequests(t *testing.T) {
 		payload io.Reader
 		headers http.Header
 	}{
+		{
+			name:    "ShortSignature",
+			event:   CommitCommentEvent,
+			payload: bytes.NewBuffer([]byte("{12345}")),
+			headers: http.Header{
+				"X-Github-Event":  []string{"commit_comment"},
+				"X-Hub-Signature": []string{"sha1"},
+			},
+		},
 		{
 			name:    "BadNoEventHeader",
 			event:   CreateEvent,