github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 19:58:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

security(nextcloud-talk): reject unsigned webhooks before body read

Browse Source
This commit is contained in:
Brian Mendonca
2026-02-24 21:36:04 -07:00
committed by Peter Steinberger
parent 38c4944d76
commit 09200b3c10
3 changed files with 77 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
extensions/nextcloud-talk/src/monitor.ts
View File

@@ -92,6 +92,7 @@ export function createNextcloudTalkWebhookServer(opts: NextcloudTalkWebhookServe
opts.maxBodyBytes > 0
? Math.floor(opts.maxBodyBytes)
: DEFAULT_WEBHOOK_MAX_BODY_BYTES;
const readBody = opts.readBody ?? readNextcloudTalkWebhookBody;
const server = createServer(async (req: IncomingMessage, res: ServerResponse) => {
if (req.url === HEALTH_PATH) {
@@ -107,8 +108,6 @@ export function createNextcloudTalkWebhookServer(opts: NextcloudTalkWebhookServe
}
try {
const body = await readNextcloudTalkWebhookBody(req, maxBodyBytes);
const headers = extractNextcloudTalkHeaders(
req.headers as Record<string, string | string[] | undefined>,
);
@@ -118,6 +117,8 @@ export function createNextcloudTalkWebhookServer(opts: NextcloudTalkWebhookServe
return;
}
const body = await readBody(req, maxBodyBytes);
const isValid = verifyNextcloudTalkSignature({
signature: headers.signature,
random: headers.random,