w3c · deniak · Aug 27, 2021 · Aug 27, 2021 · Aug 27, 2021
diff --git a/server.js b/server.js
@@ -416,27 +416,27 @@ function addGHHook(app, path) {
             if (eventType !== "pull_request" && eventType !== "issue_comment") return ok(res);
             if (eventType === "issue_comment" && !event.issue.pull_request) return ok(res);
 
-            var owner = event.repository.owner.login
-            ,   repo = event.repository.full_name
-            ,   repoShortname = event.repository.name
-            ,   repoId = event.repository.id
+            const owner = event.repository.owner.login
+            ,     repo = event.repository.full_name
+            ,     repoShortname = event.repository.name
+            ,     repoId = event.repository.id
+            ,     statusData = {
+                      owner,
+                      shortName: repoShortname,
+                      sha: event.pull_request.head.sha,
+                      payload: {
+                          state: "failure",
+                          target_url: `${config.url}pr/id/${owner}/${repoShortname}/${event.number}`,
+                          context: "ipr"
+                      }
+                  }
             ;
             store.getSecret(repo, async function (err, data) {
+                const { token } = await doAsync(store).getToken(owner)
+                ,     gh = new GH({ accessToken: token });
                 if (err || !data) {
                     try {
-                        const { token } = await doAsync(store).getToken(owner);
-                        const gh = new GH({ accessToken: token });
-                        const statusData = {
-                            owner,
-                            shortName: repoShortname,
-                            sha: event.pull_request.head.sha,
-                            payload: {
-                                state: "failure",
-                                target_url: `${config.url}pr/id/${owner}/${repoShortname}/${event.number}`,
-                                description: `The repository manager doesn't know the following repository: ${repo}`,
-                                context: "ipr"
-                            }
-                        };
+                        statusData.payload.description = `The repository manager doesn't know the following repository: ${repo}`;
                         gh.status(statusData, err => {
                             if (err) {
                                 console.log(err);
@@ -450,7 +450,16 @@ function addGHHook(app, path) {
                 }
 
                 // we have the secret, crypto check becomes possible
-                if (!GH.checkPayloadSignature("sha256", data.secret, buffer, req.headers["x-hub-signature-256"])) return error(res, "GitHub signature does not match known secret for " + repo + ".");
+                if (!GH.checkPayloadSignature("sha256", data.secret, buffer, req.headers["x-hub-signature-256"])) {
+                    statusData.payload.description = `GitHub signature does not match known secret for ${repo}.`;
+                    gh.status(statusData, err => {
+                        if (err) {
+                            console.log(err);
+                            log.error(err);
+                        }
+                    });
+                    return error(res, `GitHub signature does not match known secret for ${repo}.`);
+                }
 
                 // for status we need: owner, repoShort, and sha
                 var repoShort = event.repository.name

diff --git a/test/server-spec.js b/test/server-spec.js
@@ -644,6 +644,16 @@ describe('Server manages requests from advanced privileged users in a set up rep
             .expect(500, done);
     });
 
+    it('reacts to pull requests notifications with the wrong signature', function testWrongSignature(done) {
+        mockPRStatus(testPR, 'failure', /GitHub signature does not match known secret for .*/);
+
+        req.post('/' + config.hookPath)
+            .send(testPR)
+            .set('X-Github-Event', 'pull_request')
+            .set('X-Hub-Signature-256', GH.signPayload("sha256", Array(20).join("@"), new Buffer(JSON.stringify(testPR))))
+            .expect(500, done);
+    });
+
     it('reacts to pull requests notifications from GH users without a known W3C account', function testPullRequestNotif(done) {
         mockPRStatus(testPR, 'pending', /.*/);
         nock('https://api.github.com')