![Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack](https://cdn.sanity.io/images/cgdhsj6q/production/6af25114feaaac7179b18127c83327568ff592d1-1024x1024.webp?w=800&fit=max&auto=format)
Security News
Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack
Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.
github-webhook-validator
Advanced tools
Readme
This library provides an Express middleware validator for GitHub webhooks that have a secret key defined.
It was primarily developed for the pages-server. It enables authentication across multiple webhooks handled by the same server.
To make this library part of your project:
$ npm install github-webhook-validator --save
Note that Node.js version 4.8.5 or higher is required; check your installed
version with node -v
.
During the initialization phase of your application:
var express = require('express');
var bodyParser = require('body-parser');
var webhookValidator = require('github-webhook-validator');
module.exports.launchServer = function(config) {
// loadKeyDictionary returns a Promise that creates an object comprised of
// `label: key` mappings.
return webhookValidator.loadKeyDictionary(
config.secretKeyFile, config.builders)
.then(function(keyDictionary) { return doLaunch(config, keyDictionary); })
.catch(function(err) { console.error('Failed to start server:', err); });
}
function doLaunch(config, keyDictionary) {
// Once the keyDictionary is loaded, create a middlewareValidator that can
// be passed to Express middleware body parsers.
var middlewareOptions = {
verify: webhookValidator.middlewareValidator(keyDictionary)
};
var server = express();
server.use(bodyParser.json(middlewareOptions));
// Continue server initialization...
}
Returns a Promise that will, upon success, resolve to an object comprised of
label: key
mappings for use by the middleware validator.
branch
member,
as the original use case supports differentiating webhooks by branch.It is possible for defaultKeyFile to be undefined, while individual builderConfigs have their own secretKeyFile definitions.
If no arguments are defined, the Promise will resolve to an empty object,
effectively disabling validation, except that any incoming webhooks with the
X-Hub-Signature
HTTP header defined will fail validation. The solution
would be to add the secret key to the server, or to remove it from the webhook
definition.
Returns a function corresponding to the verify
function interface passed as
an option to Express body-parser
middleware. The returned function will
abort the request with an error message if validation fails, prior to parsing
taking place.
ref
field, if
present.Raises:
X-GitHub-Delivery
HTTP headerIf the parser returns null
or undefined
, or if the value does not match a
member of keyDictionary, the value of the defaultKeyFile from
loadKeyDictionary() will be used as the secret key, if it exists. If it
does not exist, any incoming requests with the X-Hub-Signature
HTTP header
will fail validation. The fix would be to add a default key, to add a
branch-specific key, or to remove the secret key from the webhook definition.
This software is made available as Open Source software under the ISC License. For the text of the license, see the LICENSE file.
FAQs
Express middleware validator for GitHub webhooks
The npm package github-webhook-validator receives a total of 0 weekly downloads. As such, github-webhook-validator popularity was classified as not popular.
We found that github-webhook-validator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.
Security News
OpenSSF is warning open source maintainers to stay vigilant against reputation farming on GitHub, where users artificially inflate their status by manipulating interactions on closed issues and PRs.
Security News
A JavaScript library maintainer is under fire after merging a controversial PR to support legacy versions of Node.js.