Commit415c7d1

authored and

GiteaBot

committed

Fix Feishu webhook signature verification (go-gitea#34788)

# Fix Feishu Webhook Signature VerificationThis PR implements proper signature verification for Feishu (Lark)webhooks according to the [officialdocumentation](https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot).## Changes- Implemented the `GenSign` function based on Feishu's official Gosample code- Modified the webhook request creation to include timestamp andsignature in the payload when a secret is configured- Fixed the signature generation algorithm to properly use HMAC-SHA256with the correct string format## Implementation DetailsThe signature verification works as follows:1. When a webhook secret is provided, a timestamp is generated2. The signature string is created using `timestamp + "\n" + secret`3. The HMAC-SHA256 algorithm is applied to an empty string using thesignature string as the key4. The result is Base64 encoded to produce the final signature5. Both timestamp and signature are added to the payloadAccording to Feishu's documentation, the timestamp must be within 1 hour(3600 seconds) of the current time to be considered valid.## Security NoteFeishu emphasizes the importance of keeping webhook URLs secure. Do notdisclose them on GitHub, blogs, or any public sites to preventunauthorized use.## References- [Feishu Custom BotDocumentation](https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot)---------Co-authored-by: hiifong <i@hiif.ong>Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

1 parentacd4e10 commit415c7d1Copy full SHA for 415c7d1

File tree

3 files changed

+39

-6

lines changed

services/webhook

3 files changed

+39

-6

lines changed

`‎services/webhook/feishu.go‎`

Lines changed: 31 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,9 +5,13 @@ package webhook`
`5`	`5`
`6`	`6`	`import (`
`7`	`7`	`"context"`
	`8`	`+"crypto/hmac"`
	`9`	`+"crypto/sha256"`
	`10`	`+"encoding/base64"`
`8`	`11`	`"fmt"`
`9`	`12`	`"net/http"`
`10`	`13`	`"strings"`
	`14`	`+"time"`
`11`	`15`
`12`	`16`	`webhook_model"code.gitea.io/gitea/models/webhook"`
`13`	`17`	`"code.gitea.io/gitea/modules/git"`
`@@ -16,10 +20,12 @@ import (`
`16`	`20`	`)`
`17`	`21`
`18`	`22`	`type (`
`19`		`-// FeishuPayload represents`
	`23`	`+// FeishuPayload represents the payload for Feishu webhook`
`20`	`24`	`FeishuPayloadstruct {`
`21`		-MsgTypestring`json:"msg_type"`// text / post / image / share_chat / interactive / file /audio / media
`22`		`-Contentstruct {`
	`25`	+Timestampint64`json:"timestamp,omitempty"`// Unix timestamp for signature verification
	`26`	+Signstring`json:"sign,omitempty"`// Signature for verification
	`27`	+MsgTypestring`json:"msg_type"`// text / post / image / share_chat / interactive / file /audio / media
	`28`	`+Contentstruct {`
`23`	`29`	Textstring`json:"text"`
`24`	`30`	}`json:"content"`
`25`	`31`	`}`
`@@ -178,9 +184,29 @@ func (feishuConvertor) WorkflowJob(p *api.WorkflowJobPayload) (FeishuPayload, er`
`178`	`184`	`returnnewFeishuTextPayload(text),nil`
`179`	`185`	`}`
`180`	`186`
	`187`	`+// feishuGenSign generates a signature for Feishu webhook`
	`188`	`+// https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot`
	`189`	`+funcfeishuGenSign(secretstring,timestampint64)string {`
	`190`	`+// key="{timestamp}\n{secret}", then hmac-sha256, then base64 encode`
	`191`	`+stringToSign:=fmt.Sprintf("%d\n%s",timestamp,secret)`
	`192`	`+h:=hmac.New(sha256.New, []byte(stringToSign))`
	`193`	`+returnbase64.StdEncoding.EncodeToString(h.Sum(nil))`
	`194`	`+}`
	`195`	`+`
`181`	`196`	`funcnewFeishuRequest(_ context.Context,wwebhook_model.Webhook,twebhook_model.HookTask) (*http.Request, []byte,error) {`
`182`		`-varpcpayloadConvertor[FeishuPayload]=feishuConvertor{}`
`183`		`-returnnewJSONRequest(pc,w,t,true)`
	`197`	`+payload,err:=newPayload(feishuConvertor{}, []byte(t.PayloadContent),t.EventType)`
	`198`	`+iferr!=nil {`
	`199`	`+returnnil,nil,err`
	`200`	`+}`
	`201`	`+`
	`202`	`+// Add timestamp and signature if secret is provided`
	`203`	`+ifw.Secret!="" {`
	`204`	`+timestamp:=time.Now().Unix()`
	`205`	`+payload.Timestamp=timestamp`
	`206`	`+payload.Sign=feishuGenSign(w.Secret,timestamp)`
	`207`	`+}`
	`208`	`+`
	`209`	`+returnprepareJSONRequest(payload,w,t,false/* no default headers */)`
`184`	`210`	`}`
`185`	`211`
`186`	`212`	`funcinit() {`

`‎services/webhook/feishu_test.go‎`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -168,6 +168,7 @@ func TestFeishuJSONPayload(t *testing.T) {`
`168`	`168`	`URL:"https://feishu.example.com/",`
`169`	`169`	Meta:`{}`,
`170`	`170`	`HTTPMethod:"POST",`
	`171`	`+Secret:"secret",`
`171`	`172`	`}`
`172`	`173`	`task:=&webhook_model.HookTask{`
`173`	`174`	`HookID:hook.ID,`
`@@ -183,10 +184,13 @@ func TestFeishuJSONPayload(t *testing.T) {`
`183`	`184`
`184`	`185`	`assert.Equal(t,"POST",req.Method)`
`185`	`186`	`assert.Equal(t,"https://feishu.example.com/",req.URL.String())`
`186`		`-assert.Equal(t,"sha256=",req.Header.Get("X-Hub-Signature-256"))`
`187`	`187`	`assert.Equal(t,"application/json",req.Header.Get("Content-Type"))`
`188`	`188`	`varbodyFeishuPayload`
`189`	`189`	`err=json.NewDecoder(req.Body).Decode(&body)`
`190`	`190`	`assert.NoError(t,err)`
`191`	`191`	`assert.Equal(t,"[test/repo:test]\r\n[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778) commit message - user1\r\n[2020558](http://localhost:3000/test/repo/commit/2020558fe2e34debb818a514715839cabd25e778) commit message - user1",body.Content.Text)`
	`192`	`+assert.Equal(t,feishuGenSign(hook.Secret,body.Timestamp),body.Sign)`
	`193`	`+`
	`194`	`+// a separate sign test, the result is generated by official python code, so the algo must be correct`
	`195`	`+assert.Equal(t,"rWZ84lcag1x9aBFhn1gtV4ZN+4gme3pilfQNMk86vKg=",feishuGenSign("a",1))`
`192`	`196`	`}`

`‎services/webhook/payloader.go‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,10 @@ func newJSONRequest[T any](pc payloadConvertor[T], w webhook_model.Webhook, t `
`92`	`92`	`iferr!=nil {`
`93`	`93`	`returnnil,nil,err`
`94`	`94`	`}`
	`95`	`+returnprepareJSONRequest(payload,w,t,withDefaultHeaders)`
	`96`	`+}`
`95`	`97`
	`98`	`+funcprepareJSONRequest[Tany](payloadT,wwebhook_model.Webhook,twebhook_model.HookTask,withDefaultHeadersbool) (*http.Request, []byte,error) {`
`96`	`99`	`body,err:=json.MarshalIndent(payload,""," ")`
`97`	`100`	`iferr!=nil {`
`98`	`101`	`returnnil,nil,err`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit415c7d1

File tree

3 files changed

3 files changed

`‎services/webhook/feishu.go‎`

`‎services/webhook/feishu_test.go‎`

`‎services/webhook/payloader.go‎`

0 commit comments