Properly reject invalid token breach reports from GitHub

tobias · tobias · commit ff31e4abd0db · 2022-02-07T07:58:13.000-05:00
We were NPEing when given a key_identifier that isn't in the list of
keys returned by GitHub. This will now return a 422 instead.
diff --git a/src/clojars/routes/token_breach.clj b/src/clojars/routes/token_breach.clj
@@ -14,24 +14,27 @@
   "Retrieves the public key text from the github api for the key
   identifier, then converts the key text to a key object."
   [identifier]
-  (->> (client/get "https://api.github.com/meta/public_keys/token_scanning"
-                   {:as :json})
-       :body
-       :public_keys
-       (some (fn [{:keys [key_identifier key]}]
-               (when (= identifier key_identifier)
-                 key)))
-       (keys/str->public-key)))
+  (when identifier
+    (some->> (client/get "https://api.github.com/meta/public_keys/token_scanning"
+                         {:as :json})
+             :body
+             :public_keys
+             (some (fn [{:keys [key_identifier key]}]
+                     (when (= identifier key_identifier)
+                       key)))
+             (keys/str->public-key))))
 
 (defn- valid-github-request?
   "Verifies the request was signed using GitHub's key.
   https://developer.github.com/partnerships/secret-scanning/"
   [headers body-str]
   (let [key-id (get headers "github-public-key-identifier")
         key-sig (get headers "github-public-key-signature")
-        key (get-github-key key-id)
-        sig (base64/decode key-sig)]
-    (dsa/verify body-str sig {:key key :alg :ecdsa+sha256})))
+        key (get-github-key key-id)]
+    (when (and body-str key key-sig)
+      (dsa/verify body-str
+                  (base64/decode key-sig)
+                  {:key key :alg :ecdsa+sha256}))))
 
 ;; - make emails async
 ;; - add timing logs
diff --git a/test/clojars/unit/web/token_breach_test.clj b/test/clojars/unit/web/token_breach_test.clj
@@ -43,6 +43,15 @@
   (filter-some #(= token-name (:name %))
                (db/find-user-tokens-by-username help/*db* username)))
 
+(deftest test-github-token-breach-request-with-invalid-identifier
+  (help/with-test-system
+    (with-redefs [client/get (constantly {:body github-response})]
+      (let [app (help/app-from-system)
+            request (-> (build-breach-request "whatever")
+                        (header "GITHUB-PUBLIC-KEY-IDENTIFIER" "bad"))
+            res (app request)]
+        (is (= 422 (:status res)))))))
+
 (deftest test-github-token-breach-reporting-works
   (help/with-test-system
     (let [_user (db/add-user help/*db* "ham@biscuit.co" "ham" "biscuit")
