security: reject empty signing secret for NewSecretsVerifier

nlopes · nlopes · commit 34ad5c052e44 · 2026-05-10T10:27:28.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.23.1] - 2026-05-10
+
+### Fixed
+
+- `NewSecretsVerifier` now rejects empty signing secrets to avoid accepting forged request
+  signatures when applications are misconfigured.
+
 ## [0.23.0] - 2026-04-22
 
 ### Added
@@ -559,7 +566,8 @@ for details.
 [#1196]: https://github.com/slack-go/slack/issues/1196
 [#1547]: https://github.com/slack-go/slack/pull/1547
 
-[Unreleased]: https://github.com/slack-go/slack/compare/v0.23.0...HEAD
+[Unreleased]: https://github.com/slack-go/slack/compare/v0.23.1...HEAD
+[0.23.1]: https://github.com/slack-go/slack/compare/v0.23.0...v0.23.1
 [0.23.0]: https://github.com/slack-go/slack/compare/v0.22.0...v0.23.0
 [0.22.0]: https://github.com/slack-go/slack/compare/v0.21.1...0.22.0
 [0.21.1]: https://github.com/slack-go/slack/compare/v0.21.0...v0.21.1
diff --git a/security.go b/security.go
@@ -30,6 +30,10 @@ func unsafeSignatureVerifier(header http.Header, secret string) (_ SecretsVerifi
 		bsignature []byte
 	)
 
+	if secret == "" {
+		return SecretsVerifier{}, ErrInvalidConfiguration
+	}
+
 	signature := header.Get(hSignature)
 	stimestamp := header.Get(hTimestamp)
 
diff --git a/security_test.go b/security_test.go
@@ -1,6 +1,7 @@
 package slack
 
 import (
+	"errors"
 	"io"
 	"log"
 	"net/http"
@@ -32,6 +33,20 @@ func TestExpiredTimestamp(t *testing.T) {
 	}
 }
 
+func TestNewSecretsVerifierRejectsEmptySigningSecret(t *testing.T) {
+	_, err := NewSecretsVerifier(newHeader(true), "")
+	if !errors.Is(err, ErrInvalidConfiguration) {
+		t.Fatalf("expected ErrInvalidConfiguration, got %v", err)
+	}
+}
+
+func TestUnsafeSignatureVerifierRejectsEmptySigningSecret(t *testing.T) {
+	_, err := unsafeSignatureVerifier(newHeader(true), "")
+	if !errors.Is(err, ErrInvalidConfiguration) {
+		t.Fatalf("expected ErrInvalidConfiguration, got %v", err)
+	}
+}
+
 func TestUnsafeSignatureVerifier(t *testing.T) {
 	tests := []struct {
 		title         string

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,10 @@ func unsafeSignatureVerifier(header http.Header, secret string) (_ SecretsVerifi`
`30`	`30`	`bsignature []byte`
`31`	`31`	`)`
`32`	`32`
	`33`	`+ if secret == "" {`
	`34`	`+ return SecretsVerifier{}, ErrInvalidConfiguration`
	`35`	`+ }`
	`36`	`+`
`33`	`37`	`signature := header.Get(hSignature)`
`34`	`38`	`stimestamp := header.Get(hTimestamp)`
`35`	`39`