fix: do not uppercase quoted escape sequences (#96)

hugopeixoto · gr2m · commit 98ff1e3cb340 · 2019-10-07T16:34:20.000-07:00
If the payload contains text that starts with "\u", the replacer kicks
in and signature validation fails.
diff --git a/sign/index.js b/sign/index.js
@@ -12,7 +12,7 @@ function sign (secret, payload) {
 }
 
 function toNormalizedJsonString (payload) {
-  return JSON.stringify(payload).replace(/\\u[\da-f]{4}/g, s => {
-    return s.substr(0, 2) + s.substr(2).toUpperCase()
+  return JSON.stringify(payload).replace(/[^\\]\\u[\da-f]{4}/g, s => {
+    return s.substr(0, 3) + s.substr(3).toUpperCase()
   })
 }
diff --git a/test/integration/verify-test.js b/test/integration/verify-test.js
@@ -59,6 +59,10 @@ test('verify(secret, eventPayload, signature) returns true if eventPayload conta
     foo: 'Foo\n\u001B[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001B[0m\u001B[2K'
   }, 'sha1=7316ec5e7866e42e4aba4af550d21a5f036f949d')
   t.is(signatureMatchesUpperCaseSequence, true)
+  const signatureMatchesEscapedSequence = verify('development', {
+    foo: '\\u001b'
+  }, 'sha1=2c440a176f4cb84c8c921dfee882d594c2465097')
+  t.is(signatureMatchesEscapedSequence, true)
 
   t.end()
 })

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ function sign (secret, payload) {`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`function toNormalizedJsonString (payload) {`
`15`		`- return JSON.stringify(payload).replace(/\\u[\da-f]{4}/g, s => {`
`16`		`- return s.substr(0, 2) + s.substr(2).toUpperCase()`
	`15`	`+ return JSON.stringify(payload).replace(/[^\\]\\u[\da-f]{4}/g, s => {`
	`16`	`+ return s.substr(0, 3) + s.substr(3).toUpperCase()`
`17`	`17`	`})`
`18`	`18`	`}`