From e255d58c7d5a7626e256c057a81abe366fe670b6 Mon Sep 17 00:00:00 2001
From: Neeraj Wadhwa <neeraj.wadhwa@cognitiveclouds.com>
Date: Tue, 7 May 2019 12:19:48 +0000
Subject: [PATCH] implement a check in lib/webhooks/webhooks.js's webhook()
 middleware to check if the X-Twilio-Signature header exists or not

---
 lib/webhooks/webhooks.js |  6 ++++++
 package-lock.json        |  2 +-
 spec/validation.spec.js  | 25 +++++++++++++++++++++++++
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/lib/webhooks/webhooks.js b/lib/webhooks/webhooks.js
index 2fb2b77763..7587a8a0bf 100644
--- a/lib/webhooks/webhooks.js
+++ b/lib/webhooks/webhooks.js
@@ -171,6 +171,12 @@ function webhook() {
 
   // Create middleware function
   return function hook(request, response, next) {
+    // Check if the 'X-Twilio-Signature' header exists or not
+    if (!request.header('X-Twilio-Signature')) {
+      return response.type('text/plain')
+      .status(400)
+      .send('No signature header error - X-Twilio-Signature header does not exist, maybe this request is not coming from Twilio.');
+    }
     // Do validation if requested
     if (opts.validate) {
       // Check for a valid auth token
diff --git a/package-lock.json b/package-lock.json
index 76893ccec3..aceb69a8f5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "twilio",
-  "version": "3.30.1",
+  "version": "3.30.3",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/spec/validation.spec.js b/spec/validation.spec.js
index ed706f3ff8..0863190184 100644
--- a/spec/validation.spec.js
+++ b/spec/validation.spec.js
@@ -85,6 +85,17 @@ describe('Request validation middleware', () => {
         originalUrl: fullUrl.pathname + fullUrl.search,
         body: defaultParams,
     };
+    const defaultRequestWithoutTwilioSignature = {
+        method: 'POST',
+        protocol: fullUrl.protocol,
+        host: fullUrl.host,
+        headers: {
+            'host': fullUrl.host,
+        },
+        url: fullUrl.pathname + fullUrl.search,
+        originalUrl: fullUrl.pathname + fullUrl.search,
+        body: defaultParams,
+    };
     const middleware = webhook(token);
     let response;
 
@@ -212,4 +223,18 @@ describe('Request validation middleware', () => {
 
         expect(response.statusCode).toEqual(403);
     });
+
+    it('should fail if no twilio signature is provided in the request headers', () => {
+        const newUrl = fullUrl.pathname + fullUrl.search + '&somethingUnexpected=true';
+        const request = httpMocks.createRequest(Object.assign({},
+            defaultRequestWithoutTwilioSignature, {
+            originalUrl: newUrl,
+        }));
+
+        middleware(request, response, error => {
+            expect(true).toBeFalsy();
+        });
+
+        expect(response.statusCode).toEqual(400);
+    });
 });