Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] validateRequest() is not working when a query param includes a single quote (') #1059

Open
leon19 opened this issue Dec 17, 2024 · 0 comments
Open

[Bug] validateRequest() is not working when a query param includes a single quote (') #1059

leon19 opened this issue Dec 17, 2024 · 0 comments

Comments

@leon19
Copy link

leon19 commented Dec 17, 2024
edited
Loading

Issue Summary

The validateRequest() function is not working properly when a query param value includes a single quote (') (and probably more special characters)

This bug seems to be introduced after this commit 18c6d6f

Why?

The quote gets escaped when using new URL(), and the Twilio sever seems to generate the signature with an unescaped quote

const a = "https://example.com/path?test=foo'bar"
const b = new URL(a).toString() // 'https://example.com/path?test=foo%27bar'

Steps to Reproduce

  1. Setup a call with a redirect URI that has a query param with a quote in it
  2. When the call is redirected to the server, the validation does not pass
  3. This will also happen if ToState, FromState, or any other query param automatically added by Twilio includes a quote, and the server returns a 307 - Temporary Redirect to a different URL, for example Forli' or Trezzo Sull'Adda
    image

Our use case

  1. A caller starts a call to the state Trezzo Sull'Adda
  2. The caller hangs up
  3. We receive the hang-up command via POST and respond with 307 - Temporary Redirect to Location: https://api.example.com
  4. api.example.com receives the redirect with GET method and body as query param instead
  5. validateRequest() now fails because of the single quote

Code Snippet

const { getExpectedTwilioSignature, validateRequest } = require('twilio/lib/webhooks/webhooks');

const token = 'authToken';
const url = `https://example.com/path?test=param'WithQuote`;
const signature = getExpectedTwilioSignature(token, url, {});
const signatureUsingNewUrl = getExpectedTwilioSignature(token, new URL(url).toString(), {});

console.log(validateRequest(token, signature, new URL(url).toString(), {})); // false
console.log(validateRequest(token, signature, url, {}));  // false

console.log(validateRequest(token, signatureUsingNewUrl, new URL(url).toString(), {})); // true
console.log(validateRequest(token, signatureUsingNewUrl, url, {})); // true

Exception/Log

  • The validation returns false

Technical details:

  • twilio-node version: 5.4.0
  • node version: v22.11.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@leon19