From e590ff9f24e6a5e8048efe98c38d8d8025141e58 Mon Sep 17 00:00:00 2001
From: Denis Loginov <dinvlad@gmail.com>
Date: Mon, 12 Apr 2021 14:08:07 -0400
Subject: [PATCH 1/2] Use X-Hub-Signature-256

---
 github_webhook/webhook.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/github_webhook/webhook.py b/github_webhook/webhook.py
index f4ca352..1981809 100644
--- a/github_webhook/webhook.py
+++ b/github_webhook/webhook.py
@@ -56,7 +56,7 @@ def decorator(func):
     def _get_digest(self):
         """Return message digest if a secret key was provided"""
 
-        return hmac.new(self._secret, request.data, hashlib.sha1).hexdigest() if self._secret else None
+        return hmac.new(self._secret, request.data, hashlib.sha256).hexdigest() if self._secret else None
 
     def _postreceive(self):
         """Callback from Flask"""
@@ -64,11 +64,11 @@ def _postreceive(self):
         digest = self._get_digest()
 
         if digest is not None:
-            sig_parts = _get_header("X-Hub-Signature").split("=", 1)
+            sig_parts = _get_header("X-Hub-Signature-256").split("=", 1)
             if not isinstance(digest, six.text_type):
                 digest = six.text_type(digest)
 
-            if len(sig_parts) < 2 or sig_parts[0] != "sha1" or not hmac.compare_digest(sig_parts[1], digest):
+            if len(sig_parts) < 2 or sig_parts[0] != "sha256" or not hmac.compare_digest(sig_parts[1], digest):
                 abort(400, "Invalid signature")
 
         event_type = _get_header("X-Github-Event")

From 87535bc250158a412971ff9a97e3fb3239944b35 Mon Sep 17 00:00:00 2001
From: Denis Loginov <dinvlad@gmail.com>
Date: Mon, 12 Apr 2021 14:22:06 -0400
Subject: [PATCH 2/2] Adjust tests for X-Hub-Signature-256

---
 tests/test_webhook.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/test_webhook.py b/tests/test_webhook.py
index 29eba7d..92680b3 100644
--- a/tests/test_webhook.py
+++ b/tests/test_webhook.py
@@ -158,7 +158,7 @@ def test_can_handle_zero_events(webhook, push_request):
 def test_calls_if_signature_is_correct(mock_hmac, app, push_request, secret):
     # GIVEN
     webhook = Webhook(app, secret=secret)
-    push_request.headers["X-Hub-Signature"] = "sha1=hash_of_something"
+    push_request.headers["X-Hub-Signature-256"] = "sha256=hash_of_something"
     push_request.data = b"something"
     handler = mock.Mock()
     mock_hmac.compare_digest.return_value = True
@@ -175,7 +175,7 @@ def test_calls_if_signature_is_correct(mock_hmac, app, push_request, secret):
 def test_does_not_call_if_signature_is_incorrect(mock_hmac, app, push_request):
     # GIVEN
     webhook = Webhook(app, secret="super_secret")
-    push_request.headers["X-Hub-Signature"] = "sha1=hash_of_something"
+    push_request.headers["X-Hub-Signature-256"] = "sha256=hash_of_something"
     push_request.data = b"something"
     handler = mock.Mock()
     mock_hmac.compare_digest.return_value = False