[GHWebhookSignature] Process escaped Unicode characters in a JSON payload

ababushk · ababushk · commit 653f8a524f23 · 2020-12-08T14:52:33.000+03:00
[GHWebhookSignatureTest] Add test to check signature generation for unicode payloads

[GHWebhookSignatureTest] Fix test data

We should've pass all those \uXXXX to function, but Java was keeping them as unicode characters inside

[GHWebhookSignature] Use modules available via pom.xml to perform unescape

[GHWebhookSignatureTest] Explain test data choice

[GHWebhookSignatureTest] Remove escaped unicode from comments
diff --git a/src/main/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignature.java b/src/main/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignature.java
@@ -2,6 +2,7 @@
 
 import hudson.util.Secret;
 import org.apache.commons.codec.binary.Hex;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -54,7 +55,10 @@ public String sha1() {
             final SecretKeySpec keySpec = new SecretKeySpec(secret.getPlainText().getBytes(UTF_8), HMAC_SHA1_ALGORITHM);
             final Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
             mac.init(keySpec);
-            final byte[] rawHMACBytes = mac.doFinal(payload.getBytes(UTF_8));
+
+            final String unescapedPayload = StringEscapeUtils.unescapeJava(payload);
+            final String convertedUnicode = new String(unescapedPayload.getBytes("latin1"), UTF_8);
+            final byte[] rawHMACBytes = mac.doFinal(convertedUnicode.getBytes(UTF_8));
 
             return Hex.encodeHexString(rawHMACBytes);
         } catch (Exception e) {
diff --git a/src/test/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignatureTest.java b/src/test/java/org/jenkinsci/plugins/github/webhook/GHWebhookSignatureTest.java
@@ -20,22 +20,34 @@ public class GHWebhookSignatureTest {
     private static final String PAYLOAD = "foo";
     private static final String SECRET = "bar";
 
+    // Taken from real example of Pull Request update webhook payload
+    private static final String UNICODE_PAYLOAD = "{\"description\":\"foo\\u00e2\\u0084\\u00a2\"}";
+    private static final String UNICODE_SIGNATURE = "10e3cb05d27049775aeca89d84d9e6123d5ab006";
+
     @ClassRule
     public static JenkinsRule jRule = new JenkinsRule();
 
     @Test
     public void shouldComputeSHA1Signature() throws Exception {
         assertThat("signature is valid", webhookSignature(
-                PAYLOAD, 
+                PAYLOAD,
                 Secret.fromString(SECRET)
         ).sha1(), equalTo(SIGNATURE));
     }
 
     @Test
     public void shouldMatchSignature() throws Exception {
         assertThat("signature should match", webhookSignature(
-                PAYLOAD, 
+                PAYLOAD,
                 Secret.fromString(SECRET)
         ).matches(SIGNATURE), equalTo(true));
     }
-}
+
+    @Test
+    public void shouldComputeSHA1SignatureWithUnicodePayload() throws Exception {
+        assertThat("signature is valid for unicode payload", webhookSignature(
+                UNICODE_PAYLOAD,
+                Secret.fromString(SECRET)
+        ).sha1(), equalTo(UNICODE_SIGNATURE));
+    }
+}
