From c823ba48a7c5d56c6059f821e76545486a084169 Mon Sep 17 00:00:00 2001
From: Carl Worth <cworth@cworth.org>
Date: Sun, 27 Sep 2020 14:45:34 -0700
Subject: [PATCH] Add signature verification fo the /rot slash command

This prevents someone abusing our bot by spoofing messages appearing
to have come from Slack. This way we won't reply to any command
request unless it actually comes from Slack.
---
 turbot.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/turbot.py b/turbot.py
index bfc07e3..4a6aaff 100755
--- a/turbot.py
+++ b/turbot.py
@@ -5,6 +5,7 @@ from flask import Flask, request
 from slackeventsapi import SlackEventAdapter
 from slack import WebClient
 from slack.errors import SlackApiError
+from slack.signature import SignatureVerifier
 import os
 import requests
 import re
@@ -15,6 +16,7 @@ slack_signing_secret = os.environ['SLACK_SIGNING_SECRET']
 slack_bot_token = os.environ['SLACK_BOT_TOKEN']
 
 slack_events = SlackEventAdapter(slack_signing_secret, "/slack/events", app)
+signature_verifier = SignatureVerifier(slack_signing_secret)
 slack_client = WebClient(slack_bot_token)
 
 def rot_string(str, n=13):
@@ -52,11 +54,16 @@ def rot():
     in a direct message that it is not a member of. Otherwise, if the slash
     command was issued in a channel, the bot will reply in that channel."""
 
+    data = request.get_data();
+    headers = request.headers;
     response_url = request.form.get('response_url')
     channel_name = request.form.get('channel_name')
     channel = request.form.get('channel_id')
     query = request.form.get('text')
 
+    if not signature_verifier.is_valid_request(data, headers):
+        return make_response("invalid request", 403)
+
     match = re.match('^([0-9]+|\*) (.*)$', query)
     if (match):
         try:
-- 
2.45.2