fix: fix slash escaping when calculating webhook signature (box/box-codegen#736) (#624)

box-sdk-build · box-sdk-build · web-flow · commit a0307d0c4c5d · 2025-06-06T15:12:21.000+02:00
Co-authored-by: box-sdk-build &lt;box-sdk-build@box.com&gt;
diff --git a/.codegen.json b/.codegen.json
@@ -1 +1 @@
-{ "engineHash": "20cb559", "specHash": "630fc85", "version": "1.15.1" }
+{ "engineHash": "70390f5", "specHash": "630fc85", "version": "1.15.1" }
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/internal/utilsBrowser.ts b/src/internal/utilsBrowser.ts
@@ -291,7 +291,7 @@ export async function computeWebhookSignature(
   signatureKey: string,
 ): Promise<string | null> {
   const escapedBody = jsonStringifyWithEscapedUnicode(body).replace(
-    /\//g,
+    /(?<!\\)\//g,
     '\\/',
   );
   if (headers['box-signature-version'] !== '1') {
diff --git a/src/internal/utilsNode.ts b/src/internal/utilsNode.ts
@@ -246,7 +246,7 @@ export async function computeWebhookSignature(
   signatureKey: string,
 ): Promise<string | null> {
   const escapedBody = jsonStringifyWithEscapedUnicode(body).replace(
-    /\//g,
+    /(?<!\\)\//g,
     '\\/',
   );
   if (headers['box-signature-version'] !== '1') {
diff --git a/src/test/webhooks.generated.test.ts b/src/test/webhooks.generated.test.ts
@@ -123,6 +123,10 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
     '{"webhook":{"id":"1234567890"},"trigger":"FILE.UPLOADED","source":{"id":"1234567890","type":"file","name":"\uD83D\uDE00 2020-08-05.txt"}}';
   const bodyWithCarriageReturn: string =
     '{"webhook":{"id":"1234567890"},"trigger":"FILE.UPLOADED","source":{"id":"1234567890","type":"file","name":"test \\r"}}';
+  const bodyWithForwardSlash: string =
+    '{"webhook":{"id":"1234567890"},"trigger":"FILE.UPLOADED","source":{"id":"1234567890","type":"file","name":"\\/"}}';
+  const bodyWithBackSlash: string =
+    '{"webhook":{"id":"1234567890"},"trigger":"FILE.UPLOADED","source":{"id":"1234567890","type":"file","name":"\\\\"}}';
   const headers: {
     readonly [key: string]: string;
   } = {
@@ -157,6 +161,22 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
       ['box-signature-primary']: 'SVkbKgy3dEEf2PbbzpNu2lDZS7zZ/aboU7HOZgBGrJk=',
     },
   };
+  const headersWithForwardSlash: {
+    readonly [key: string]: any;
+  } = {
+    ...headers,
+    ...{
+      ['box-signature-primary']: 't41PWT5ZB6OcysnD6SDy9Ud+p9hdXxIdXqcdweyZv/Q=',
+    },
+  };
+  const headersWithBackSlash: {
+    readonly [key: string]: any;
+  } = {
+    ...headers,
+    ...{
+      ['box-signature-primary']: 'ERpMZwUQsGDTfj82ehdX6VvDZfvOhK5ULNfVmwVAGe0=',
+    },
+  };
   const currentDatetime: string = dateTimeToString(
     epochSecondsToDateTime(getEpochTimeInSeconds()),
   );
@@ -307,6 +327,28 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
   ) {
     throw new Error('Assertion failed');
   }
+  if (
+    !(
+      (await computeWebhookSignature(
+        bodyWithForwardSlash,
+        headersWithForwardSlash,
+        primaryKey,
+      )) == headersWithForwardSlash['box-signature-primary']
+    )
+  ) {
+    throw new Error('Assertion failed');
+  }
+  if (
+    !(
+      (await computeWebhookSignature(
+        bodyWithBackSlash,
+        headersWithBackSlash,
+        primaryKey,
+      )) == headersWithBackSlash['box-signature-primary']
+    )
+  ) {
+    throw new Error('Assertion failed');
+  }
   if (
     !(await WebhooksManager.validateMessage(
       body,

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{ "engineHash": "20cb559", "specHash": "630fc85", "version": "1.15.1" }`
	`1`	`+{ "engineHash": "70390f5", "specHash": "630fc85", "version": "1.15.1" }`