The Slack interceptor (pkg/interceptors/slack/slack.go) currently only checks that the X-Slack-Signature header is present and non-empty. It does not verify the signature against a signing secret.
This means any request with a non-empty X-Slack-Signature header is accepted as authentic, regardless of whether it actually came from Slack.
The GitHub, GitLab, and Bitbucket interceptors all perform proper signature verification when secretRef is configured. The Slack interceptor should follow the same pattern.
Current behavior
// slack.go:45 — header presence check only
if s := headers.Get("X-Slack-Signature"); s == "" {
return interceptors.Fail(...)
}
// → proceeds to extract fields and return Continue:true
Expected behavior
InterceptorParams should accept a secretRef parameter pointing to the Slack signing secret
- The interceptor should verify
X-Slack-Signature using Slack's v0=HMAC-SHA256 scheme:
sig_basestring = "v0:" + X-Slack-Request-Timestamp + ":" + request_body
computed = "v0=" + HMAC-SHA256(signing_secret, sig_basestring)
valid = hmac.Equal(computed, X-Slack-Signature)
- When
secretRef is not configured, the interceptor should reject the request (fail-closed)
Implementation notes
- Add
SecretRef *triggersv1.SecretRef to InterceptorParams
- Use the existing
SecretGetter on InterceptorImpl (already wired up but never called)
- Verify
X-Slack-Request-Timestamp is within 5 minutes to prevent replay attacks (per Slack's recommendation)
- Use
hmac.Equal for constant-time comparison
- This is a breaking change for existing Slack interceptor users who don't have a
secretRef configured — document in release notes
References
The Slack interceptor (
pkg/interceptors/slack/slack.go) currently only checks that theX-Slack-Signatureheader is present and non-empty. It does not verify the signature against a signing secret.This means any request with a non-empty
X-Slack-Signatureheader is accepted as authentic, regardless of whether it actually came from Slack.The GitHub, GitLab, and Bitbucket interceptors all perform proper signature verification when
secretRefis configured. The Slack interceptor should follow the same pattern.Current behavior
Expected behavior
InterceptorParamsshould accept asecretRefparameter pointing to the Slack signing secretX-Slack-Signatureusing Slack's v0=HMAC-SHA256 scheme:secretRefis not configured, the interceptor should reject the request (fail-closed)Implementation notes
SecretRef *triggersv1.SecretReftoInterceptorParamsSecretGetteronInterceptorImpl(already wired up but never called)X-Slack-Request-Timestampis within 5 minutes to prevent replay attacks (per Slack's recommendation)hmac.Equalfor constant-time comparisonsecretRefconfigured — document in release notesReferences
pkg/interceptors/github/github.go:149-172