Skip to content

Commit e23efe8

Browse files
authored
fix: strip smuggled payload from ssl_check requests (#2898)
1 parent ad576a1 commit e23efe8

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

src/receivers/HTTPModuleFunctions.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,9 +70,12 @@ export const parseAndVerifyHTTPRequest = async (
7070

7171
const contentType = req.headers['content-type'];
7272
if (contentType === 'application/x-www-form-urlencoded') {
73-
// `ssl_check=1` requests do not require x-slack-signature verification
7473
const parsedQs = qsParse(textBody);
7574
if (parsedQs?.ssl_check) {
75+
// ssl_check requests don't require signature verification, but we must
76+
// strip any smuggled payload to prevent unauthenticated event injection
77+
const sanitized = `ssl_check=${parsedQs.ssl_check}`;
78+
bufferedReq.rawBody = Buffer.from(sanitized);
7679
return bufferedReq;
7780
}
7881
}

0 commit comments

Comments
 (0)