Skip to content

Commit 3c21870

Browse files
committed
fix(showcase): CR fixes — timingSafeEqual buffer length + Dockerfile npm lockfile
- Add buffer length check before timingSafeEqual to prevent RangeError on missing/malformed X-Hub-Signature-256 headers - Switch Dockerfile from pnpm to npm with package-lock.json (pnpm lockfile lives at monorepo root, not in the package directory)
1 parent e9644b4 commit 3c21870

3 files changed

Lines changed: 237 additions & 10 deletions

File tree

showcase/eval-webhook/Dockerfile

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2,23 +2,19 @@ FROM node:22-slim AS builder
22

33
WORKDIR /app
44

5-
RUN corepack enable && corepack prepare pnpm@latest --activate
6-
7-
COPY package.json pnpm-lock.yaml ./
8-
RUN pnpm install --frozen-lockfile
5+
COPY package.json package-lock.json ./
6+
RUN npm ci
97

108
COPY tsconfig.json ./
119
COPY src/ ./src/
12-
RUN pnpm build
10+
RUN npm run build
1311

1412
FROM node:22-slim
1513

1614
WORKDIR /app
1715

18-
RUN corepack enable && corepack prepare pnpm@latest --activate
19-
20-
COPY package.json pnpm-lock.yaml ./
21-
RUN pnpm install --frozen-lockfile --prod
16+
COPY package.json package-lock.json ./
17+
RUN npm ci --omit=dev
2218

2319
COPY --from=builder /app/dist ./dist
2420

showcase/eval-webhook/package-lock.json

Lines changed: 228 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

showcase/eval-webhook/src/server.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,10 @@ function verifySignature(payload: string, signature: string): boolean {
1818
const expected =
1919
"sha256=" +
2020
crypto.createHmac("sha256", WEBHOOK_SECRET).update(payload).digest("hex");
21-
return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
21+
const expectedBuf = Buffer.from(expected);
22+
const signatureBuf = Buffer.from(signature);
23+
if (expectedBuf.length !== signatureBuf.length) return false;
24+
return crypto.timingSafeEqual(expectedBuf, signatureBuf);
2225
}
2326

2427
function getOctokit(): Octokit {

0 commit comments

Comments
 (0)