Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix verify signature double negation #371

Merged
merged 2 commits into from
Sep 6, 2024
Merged

Fix verify signature double negation #371

merged 2 commits into from
Sep 6, 2024
+6 −2

Conversation

felixarjuna
Copy link
Contributor

@felixarjuna felixarjuna commented Sep 6, 2024
edited by Secreto31126
Loading

I want to fix the verifyRequestSignature method inside index.ts file. From the jsdoc docs, the returnred boolean value should indicate that the signature is valid. Hope it helps! :)

PR Checklist

  • It's really useful if your PR references an issue where it is discussed ahead of time.
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with npm run test and lint the project with npm run lint and npm run prettier

@Secreto31126
Copy link
Owner

Hm, this is really big if true. If your change does pass the tests, not only it means the whole library was broken, but also the unit tests failed to catch the issue. I can't believe this went thru so easily.

@Secreto31126 Secreto31126 merged commit 56620c6 into Secreto31126:main Sep 6, 2024
7 checks passed
limck5856
limck5856 reviewed Sep 14, 2024
View reviewed changes
Copy link

@limck5856 limck5856 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

@Secreto31126
Copy link
Owner

Hey @felixarjuna, sorry for the harsh reply last week, I got a little too annoyed/scared/excited about the first vulnerability on the library :)

I added you as the finder on the CVE and in the README. Really thankful for your PR and raising this bug, which allowed any payload except real WhatsApp's to be processed. I will try to get some time to fix the unit tests in order to avoid similar dumb issues in the future.

Thanks!

@felixarjuna
Copy link
Contributor Author

I‘m really happy, that it really helped. 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@limck5856 limck5856 limck5856 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@felixarjuna @Secreto31126 @limck5856