Add signature verification fo the /rot slash command

This prevents someone abusing our bot by spoofing messages appearing
to have come from Slack. This way we won't reply to any command
request unless it actually comes from Slack.

diff --git a/turbot.py b/turbot.py
index bfc07e3e0af13e04fcfa63e5292bb971fb75e174..4a6aaffa8b614abe9a659eaece897ffbe133dcb2 100755 (executable)
--- a/turbot.py
+++ b/turbot.py
@@ -5,6 +5,7 @@ from flask import Flask, request
 from slackeventsapi import SlackEventAdapter
 from slack import WebClient
 from slack.errors import SlackApiError
+from slack.signature import SignatureVerifier
 import os
 import requests
 import re
@@ -15,6 +16,7 @@ slack_signing_secret = os.environ['SLACK_SIGNING_SECRET']
 slack_bot_token = os.environ['SLACK_BOT_TOKEN']
 
 slack_events = SlackEventAdapter(slack_signing_secret, "/slack/events", app)
+signature_verifier = SignatureVerifier(slack_signing_secret)
 slack_client = WebClient(slack_bot_token)
 
 def rot_string(str, n=13):
@@ -52,11 +54,16 @@ def rot():
     in a direct message that it is not a member of. Otherwise, if the slash
     command was issued in a channel, the bot will reply in that channel."""
 
+    data = request.get_data();
+    headers = request.headers;
     response_url = request.form.get('response_url')
     channel_name = request.form.get('channel_name')
     channel = request.form.get('channel_id')
     query = request.form.get('text')
 
+    if not signature_verifier.is_valid_request(data, headers):
+        return make_response("invalid request", 403)
+
     match = re.match('^([0-9]+|\*) (.*)$', query)
     if (match):
         try: