Merge pull request #76 from seratch/issue-75-missing-headers

seratch · web-flow · commit 9b25bcb9e7bd · 2020-07-28T07:21:55.000+09:00
Fix #75 by checking the existence of request headers
diff --git a/slackeventsapi/server.py b/slackeventsapi/server.py
@@ -89,15 +89,15 @@ def event():
             # Each request comes with request timestamp and request signature
             # emit an error if the timestamp is out of range
             req_timestamp = request.headers.get('X-Slack-Request-Timestamp')
-            if abs(time() - int(req_timestamp)) > 60 * 5:
+            if req_timestamp is None or abs(time() - int(req_timestamp)) > 60 * 5:
                 slack_exception = SlackEventAdapterException('Invalid request timestamp')
                 self.emitter.emit('error', slack_exception)
                 return make_response("", 403)
 
             # Verify the request signature using the app's signing secret
             # emit an error if the signature can't be verified
             req_signature = request.headers.get('X-Slack-Signature')
-            if not self.verify_signature(req_timestamp, req_signature):
+            if req_signature is None or not self.verify_signature(req_timestamp, req_signature):
                 slack_exception = SlackEventAdapterException('Invalid request signature')
                 self.emitter.emit('error', slack_exception)
                 return make_response("", 403)
diff --git a/tests/test_server.py b/tests/test_server.py
@@ -56,6 +56,32 @@ def test_url_challenge(client):
     assert bytes.decode(res.data) == "valid_challenge_token"
 
 
+def test_no_request_timestamp_header(client):
+    data = pytest.reaction_event_fixture
+    with pytest.raises(SlackEventAdapterException) as excinfo:
+        res = client.post(
+            '/slack/events',
+            data=data,
+            content_type='application/json',
+            headers={}
+        )
+    assert str(excinfo.value) == 'Invalid request timestamp'
+
+def test_no_request_signature_header(client):
+    data = pytest.reaction_event_fixture
+    timestamp = int(time.time())
+    with pytest.raises(SlackEventAdapterException) as excinfo:
+        res = client.post(
+            '/slack/events',
+            data=data,
+            content_type='application/json',
+            headers={
+                'X-Slack-Request-Timestamp': timestamp, # valid
+            }
+        )
+    assert str(excinfo.value) == 'Invalid request signature'
+
+
 def test_invalid_request_signature(client):
     # Verify [package metadata header is set
     slack_adapter = SlackEventAdapter("SIGNING_SECRET")
