MEDIUM

GHSA-gxhx-2686-5h9g

slack-go `SecretsVerifier` accepts empty signing secret without precondition

Details

`SecretsVerifier` in slack-go/slack before v0.23.1 accepts an empty signing secret without error. If an application is misconfigured (e.g., an unset or empty `SLACK_SIGNING_SECRET`), `NewSecretsVerifier` builds an HMAC-SHA256 keyed with an empty string, allowing an unauthenticated attacker to forge a valid `X-Slack-Signature` and bypass Slack request authentication. Fixed in v0.23.1, which rejects empty secrets with `ErrInvalidConfiguration`. This is patched in version 0.23.1.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/slack-go/slack

Introduced in: 0 Fixed in: 0.23.1

Fix go get github.com/slack-go/slack@v0.23.1

References

https://github.com/slack-go/slack/security/advisories/GHSA-gxhx-2686-5h9g [WEB]
https://github.com/slack-go/slack/commit/34ad5c052e446f58505ae8d81a2a72821de107cc [WEB]
https://github.com/slack-go/slack [PACKAGE]
https://github.com/slack-go/slack/releases/tag/v0.23.1 [WEB]