Skip to content

Slack interceptor should verify request signatures (v0=HMAC-SHA256) #2029

Description

@vdemeester

The Slack interceptor (pkg/interceptors/slack/slack.go) currently only checks that the X-Slack-Signature header is present and non-empty. It does not verify the signature against a signing secret.

This means any request with a non-empty X-Slack-Signature header is accepted as authentic, regardless of whether it actually came from Slack.

The GitHub, GitLab, and Bitbucket interceptors all perform proper signature verification when secretRef is configured. The Slack interceptor should follow the same pattern.

Current behavior

// slack.go:45 — header presence check only
if s := headers.Get("X-Slack-Signature"); s == "" {
    return interceptors.Fail(...)
}
// → proceeds to extract fields and return Continue:true

Expected behavior

  1. InterceptorParams should accept a secretRef parameter pointing to the Slack signing secret
  2. The interceptor should verify X-Slack-Signature using Slack's v0=HMAC-SHA256 scheme:
    sig_basestring = "v0:" + X-Slack-Request-Timestamp + ":" + request_body
    computed = "v0=" + HMAC-SHA256(signing_secret, sig_basestring)
    valid = hmac.Equal(computed, X-Slack-Signature)
    
  3. When secretRef is not configured, the interceptor should reject the request (fail-closed)

Implementation notes

  • Add SecretRef *triggersv1.SecretRef to InterceptorParams
  • Use the existing SecretGetter on InterceptorImpl (already wired up but never called)
  • Verify X-Slack-Request-Timestamp is within 5 minutes to prevent replay attacks (per Slack's recommendation)
  • Use hmac.Equal for constant-time comparison
  • This is a breaking change for existing Slack interceptor users who don't have a secretRef configured — document in release notes

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions