Gateway unconditionally echos messages without verifying they're from Slack [security?]

aaronpk / Slack-IRC-Gateway

Bridge Slack rooms to IRC channels

Other

34 stars 6 forks source link

Gateway unconditionally echos messages without verifying they're from Slack [security?] #6

Closed AbstractBeliefs closed 6 years ago

AbstractBeliefs commented 6 years ago

Anyone who discovers where you're hosting the gateway can trigger messages with spoofed sender/content. Might be worth looking at ways to verify the endpoint was hit by Slack rather than anyone else.

Repro on request, let me know what suits you.

aaronpk commented 6 years ago

Thanks. I'll add some code to verify the token that Slack sends along with the web hook.