From c823ba48a7c5d56c6059f821e76545486a084169 Mon Sep 17 00:00:00 2001 From: Carl Worth Date: Sun, 27 Sep 2020 14:45:34 -0700 Subject: [PATCH] Add signature verification fo the /rot slash command This prevents someone abusing our bot by spoofing messages appearing to have come from Slack. This way we won't reply to any command request unless it actually comes from Slack. --- turbot.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/turbot.py b/turbot.py index bfc07e3..4a6aaff 100755 --- a/turbot.py +++ b/turbot.py @@ -5,6 +5,7 @@ from flask import Flask, request from slackeventsapi import SlackEventAdapter from slack import WebClient from slack.errors import SlackApiError +from slack.signature import SignatureVerifier import os import requests import re @@ -15,6 +16,7 @@ slack_signing_secret = os.environ['SLACK_SIGNING_SECRET'] slack_bot_token = os.environ['SLACK_BOT_TOKEN'] slack_events = SlackEventAdapter(slack_signing_secret, "/slack/events", app) +signature_verifier = SignatureVerifier(slack_signing_secret) slack_client = WebClient(slack_bot_token) def rot_string(str, n=13): @@ -52,11 +54,16 @@ def rot(): in a direct message that it is not a member of. Otherwise, if the slash command was issued in a channel, the bot will reply in that channel.""" + data = request.get_data(); + headers = request.headers; response_url = request.form.get('response_url') channel_name = request.form.get('channel_name') channel = request.form.get('channel_id') query = request.form.get('text') + if not signature_verifier.is_valid_request(data, headers): + return make_response("invalid request", 403) + match = re.match('^([0-9]+|\*) (.*)$', query) if (match): try: -- 2.43.0