private boolean validateSignature()

in github-plugin/src/main/java/com/googlesource/gerrit/plugins/github/notification/WebhookServlet.java [200:221]

• 21 lines of code
• 6 McCabe index (conditional complexity)

  private boolean validateSignature(String signatureHeader, String body, String encoding)
      throws UnsupportedEncodingException {
    byte[] payload = body.getBytes(encoding == null ? "UTF-8" : encoding);
    if (config.webhookSecret == null || config.webhookSecret.equals("")) {
      logger.debug(
          "{}.webhookSecret not configured. Skip signature validation", GitHubConfig.CONF_SECTION);
      return true;
    }

    if (!StringUtils.startsWith(signatureHeader, SIGNATURE_PREFIX)) {
      logger.error("Unsupported webhook signature type: {}", signatureHeader);
      return false;
    }
    byte[] signature;
    try {
      signature = Hex.decodeHex(signatureHeader.substring(SIGNATURE_PREFIX.length()).toCharArray());
    } catch (DecoderException e) {
      logger.error("Invalid signature: {}", signatureHeader);
      return false;
    }
    return MessageDigest.isEqual(signature, getExpectedSignature(payload));
  }