From: Carl Worth <cworth@cworth.org>
Date: Sun, 27 Sep 2020 21:45:34 +0000 (-0700)
Subject: Add signature verification fo the /rot slash command
X-Git-Url: https://git.cworth.org/git?a=commitdiff_plain;h=c823ba48a7c5d56c6059f821e76545486a084169;p=turbot

Add signature verification fo the /rot slash command

This prevents someone abusing our bot by spoofing messages appearing
to have come from Slack. This way we won't reply to any command
request unless it actually comes from Slack.
---

diff --git a/turbot.py b/turbot.py
index bfc07e3..4a6aaff 100755
--- a/turbot.py
+++ b/turbot.py
@@ -5,6 +5,7 @@ from flask import Flask, request
 from slackeventsapi import SlackEventAdapter
 from slack import WebClient
 from slack.errors import SlackApiError
+from slack.signature import SignatureVerifier
 import os
 import requests
 import re
@@ -15,6 +16,7 @@ slack_signing_secret = os.environ['SLACK_SIGNING_SECRET']
 slack_bot_token = os.environ['SLACK_BOT_TOKEN']
 
 slack_events = SlackEventAdapter(slack_signing_secret, "/slack/events", app)
+signature_verifier = SignatureVerifier(slack_signing_secret)
 slack_client = WebClient(slack_bot_token)
 
 def rot_string(str, n=13):
@@ -52,11 +54,16 @@ def rot():
     in a direct message that it is not a member of. Otherwise, if the slash
     command was issued in a channel, the bot will reply in that channel."""
 
+    data = request.get_data();
+    headers = request.headers;
     response_url = request.form.get('response_url')
     channel_name = request.form.get('channel_name')
     channel = request.form.get('channel_id')
     query = request.form.get('text')
 
+    if not signature_verifier.is_valid_request(data, headers):
+        return make_response("invalid request", 403)
+
     match = re.match('^([0-9]+|\*) (.*)$', query)
     if (match):
         try: