fix: handle missing Content-Type header with null check (#805)

* Bugfix for Unhandled Exception Bugfix for missing null/undefined check in middleware.ts for the "content-type" header. Issue introduced by b7aee15. * Remove extra space * Add test case for missing content-type header * Linted * Use falsy check for cleaner comparison Co-authored-by: Gregor Martynus <39992+gr2m@users.noreply.github.com> Co-authored-by: CodeQL Automation <application-security@marriott.com> Co-authored-by: Gregor Martynus <39992+gr2m@users.noreply.github.com>
octokit · Jan 17, 2023 · 46597e7 · 46597e7
1 parent b9a2966
commit 46597e7
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/src/middleware/node/middleware.ts b/src/middleware/node/middleware.ts
@@ -47,7 +47,10 @@ export async function middleware(
   // Check if the Content-Type header is `application/json` and allow for charset to be specified in it
   // Otherwise, return a 415 Unsupported Media Type error
   // See https://github.com/octokit/webhooks.js/issues/158
-  if (!request.headers["content-type"].startsWith("application/json")) {
+  if (
+    !request.headers["content-type"] ||
+    !request.headers["content-type"].startsWith("application/json")
+  ) {
     response.writeHead(415, {
       "content-type": "application/json",
       accept: "application/json",

diff --git a/test/integration/node-middleware.test.ts b/test/integration/node-middleware.test.ts
@@ -139,6 +139,36 @@ describe("createNodeMiddleware(webhooks)", () => {
     server.close();
   });
 
+  test("Handles Missing Content-Type", async () => {
+    const webhooks = new Webhooks({
+      secret: "mySecret",
+    });
+
+    const server = createServer(createNodeMiddleware(webhooks)).listen();
+
+    // @ts-expect-error complains about { port } although it's included in returned AddressInfo interface
+    const { port } = server.address();
+    const response = await fetch(
+      `http://localhost:${port}/api/github/webhooks`,
+      {
+        method: "POST",
+        headers: {
+          "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
+          "X-GitHub-Event": "push",
+          "X-Hub-Signature-256": signatureSha256,
+        },
+        body: pushEventPayload,
+      }
+    );
+
+    await expect(response.text()).resolves.toBe(
+      '{"error":"Unsupported \\"Content-Type\\" header value. Must be \\"application/json\\""}'
+    );
+    expect(response.status).toEqual(415);
+
+    server.close();
+  });
+
   test("Handles invalid JSON", async () => {
     const webhooks = new Webhooks({
       secret: "mySecret",