admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Hardening: require LINE webhook signatures (#44090)

Browse Source 
* LINE: require webhook signatures in express handler

* LINE: require webhook signatures in node handler

* LINE: update express signature tests

* LINE: update node signature tests

* Changelog: note LINE webhook hardening

* LINE: validate signatures before parsing webhook bodies

* LINE: reject missing signatures before body reads
This commit is contained in:
Vincent Koc
2026-03-12 10:50:36 -04:00
committed by GitHub
parent c965049dc6
commit 48cbfdfac0
6 changed files with 60 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/line/webhook-node.ts
View File

@@ -8,11 +8,10 @@ import {
} from "../infra/http-body.js";
import type { RuntimeEnv } from "../runtime.js";
import { validateLineSignature } from "./signature.js";
import { isLineWebhookVerificationRequest, parseLineWebhookBody } from "./webhook-utils.js";
import { parseLineWebhookBody } from "./webhook-utils.js";
const LINE_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024;
const LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES = 64 * 1024;
const LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES = 4 * 1024;
const LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS = 5_000;
export async function readLineWebhookRequestBody(
@@ -65,30 +64,12 @@ export function createLineNodeWebhookHandler(params: {
const signatureHeader = req.headers["x-line-signature"];
const signature =
typeof signatureHeader === "string"
? signatureHeader
? signatureHeader.trim()
: Array.isArray(signatureHeader)
? signatureHeader[0]
: undefined;
const hasSignature = typeof signature === "string" && signature.trim().length > 0;
const bodyLimit = hasSignature
? Math.min(maxBodyBytes, LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES)
: Math.min(maxBodyBytes, LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES);
const rawBody = await readBody(req, bodyLimit, LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS);
? (signatureHeader[0] ?? "").trim()
: "";
// Parse once; we may need it for verification requests and for event processing.
const body = parseLineWebhookBody(rawBody);
// LINE webhook verification sends POST {"events":[]} without a
// signature header. Return 200 so the LINE Developers Console
// "Verify" button succeeds.
if (!hasSignature) {
if (isLineWebhookVerificationRequest(body)) {
logVerbose("line: webhook verification request (empty events, no signature) - 200 OK");
res.statusCode = 200;
res.setHeader("Content-Type", "application/json");
res.end(JSON.stringify({ status: "ok" }));
return;
}
if (!signature) {
logVerbose("line: webhook missing X-Line-Signature header");
res.statusCode = 400;
res.setHeader("Content-Type", "application/json");
@@ -96,6 +77,12 @@ export function createLineNodeWebhookHandler(params: {
return;
}
const rawBody = await readBody(
req,
Math.min(maxBodyBytes, LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES),
LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS,
);
if (!validateLineSignature(rawBody, signature, params.channelSecret)) {
logVerbose("line: webhook signature validation failed");
res.statusCode = 401;
@@ -104,6 +91,8 @@ export function createLineNodeWebhookHandler(params: {
return;
}
const body = parseLineWebhookBody(rawBody);
if (!body) {
res.statusCode = 400;
res.setHeader("Content-Type", "application/json");