Add signature verification fo the /rot slash command

[turbot] / turbot.py

diff --git a/turbot.py b/turbot.py
index bfc07e3e0af13e04fcfa63e5292bb971fb75e174..4a6aaffa8b614abe9a659eaece897ffbe133dcb2 100755 (executable)
--- a/turbot.py
+++ b/turbot.py
@@ -5,6 +5,7 @@ from flask import Flask, request
 from slackeventsapi import SlackEventAdapter
 from slack import WebClient
 from slack.errors import SlackApiError
+from slack.signature import SignatureVerifier
 import os
 import requests
 import re
@@ -15,6 +16,7 @@ slack_signing_secret = os.environ['SLACK_SIGNING_SECRET']
 slack_bot_token = os.environ['SLACK_BOT_TOKEN']
 
 slack_events = SlackEventAdapter(slack_signing_secret, "/slack/events", app)
+signature_verifier = SignatureVerifier(slack_signing_secret)
 slack_client = WebClient(slack_bot_token)
 
 def rot_string(str, n=13):
@@ -52,11 +54,16 @@ def rot():
     in a direct message that it is not a member of. Otherwise, if the slash
     command was issued in a channel, the bot will reply in that channel."""
 
+    data = request.get_data();
+    headers = request.headers;
     response_url = request.form.get('response_url')
     channel_name = request.form.get('channel_name')
     channel = request.form.get('channel_id')
     query = request.form.get('text')
 
+    if not signature_verifier.is_valid_request(data, headers):
+        return make_response("invalid request", 403)
+
     match = re.match('^([0-9]+|\*) (.*)$', query)
     if (match):
         try: