fix(signature): validate signing_secret is a non-empty string

WilliamBergamin · WilliamBergamin · commit 73fefdbe5c75 · 2026-06-02T14:41:45.000-04:00
diff --git a/slack_sdk/signature/__init__.py b/slack_sdk/signature/__init__.py
@@ -29,6 +29,18 @@ def __init__(self, signing_secret: str, clock: Clock = Clock()):
         self.signing_secret = signing_secret
         self.clock = clock
 
+    @property
+    def signing_secret(self) -> str:
+        return self._signing_secret
+
+    @signing_secret.setter
+    def signing_secret(self, value: str) -> None:
+        if not isinstance(value, str):
+            raise ValueError("signing_secret must be a string")
+        if not value.strip():
+            raise ValueError("signing_secret must not be empty.")
+        self._signing_secret = value
+
     def is_valid_request(
         self,
         body: Union[str, bytes],
diff --git a/tests/signature/test_signature_verifier.py b/tests/signature/test_signature_verifier.py
@@ -97,3 +97,23 @@ def test_is_valid_none(self):
         self.assertFalse(verifier.is_valid(None, self.timestamp, None))
         self.assertFalse(verifier.is_valid(self.body, None, None))
         self.assertFalse(verifier.is_valid(None, None, None))
+
+    def test_invalid_signing_secret(self):
+        with self.assertRaises(ValueError):
+            SignatureVerifier("")
+        with self.assertRaises(ValueError):
+            SignatureVerifier("   ")
+        with self.assertRaises(ValueError):
+            SignatureVerifier(None)
+        with self.assertRaises(ValueError):
+            SignatureVerifier(123)
+        with self.assertRaises(ValueError):
+            SignatureVerifier(b"secret")
+
+    def test_invalid_signing_secret_reassignment(self):
+        verifier = SignatureVerifier(self.signing_secret)
+        with self.assertRaises(ValueError):
+            verifier.signing_secret = ""
+        with self.assertRaises(ValueError):
+            verifier.signing_secret = None
+        self.assertEqual(verifier.signing_secret, self.signing_secret)
diff --git a/tests/slack_sdk/signature/test_signature_verifier.py b/tests/slack_sdk/signature/test_signature_verifier.py
@@ -97,3 +97,23 @@ def test_is_valid_none(self):
         self.assertFalse(verifier.is_valid(None, self.timestamp, None))
         self.assertFalse(verifier.is_valid(self.body, None, None))
         self.assertFalse(verifier.is_valid(None, None, None))
+
+    def test_invalid_signing_secret(self):
+        with self.assertRaises(ValueError):
+            SignatureVerifier("")
+        with self.assertRaises(ValueError):
+            SignatureVerifier("   ")
+        with self.assertRaises(ValueError):
+            SignatureVerifier(None)
+        with self.assertRaises(ValueError):
+            SignatureVerifier(123)
+        with self.assertRaises(ValueError):
+            SignatureVerifier(b"secret")
+
+    def test_invalid_signing_secret_reassignment(self):
+        verifier = SignatureVerifier(self.signing_secret)
+        with self.assertRaises(ValueError):
+            verifier.signing_secret = ""
+        with self.assertRaises(ValueError):
+            verifier.signing_secret = None
+        self.assertEqual(verifier.signing_secret, self.signing_secret)
