From 7332471fc5a6a5dcd2d9645cbc06417f1fb4f70a Mon Sep 17 00:00:00 2001 From: Izimic Date: Wed, 23 Dec 2020 10:21:41 +0100 Subject: [PATCH] check token --- src/gitea.cr | 1 + src/payload.cr | 25 +++++++++++++++++++++++-- src/webhooksd.cr | 18 +++++++++++------- 3 files changed, 35 insertions(+), 9 deletions(-) diff --git a/src/gitea.cr b/src/gitea.cr index be5570c..0e3cf82 100644 --- a/src/gitea.cr +++ b/src/gitea.cr @@ -10,5 +10,6 @@ class Gitea::Payload include JSON::Serializable property repository : Repository + property secret : String end diff --git a/src/payload.cr b/src/payload.cr index 745c90c..be38837 100644 --- a/src/payload.cr +++ b/src/payload.cr @@ -1,4 +1,7 @@ require "json" +require "openssl/hmac" +require "openssl/sha1" + require "./gitea.cr" require "./github.cr" require "./gitlab.cr" @@ -6,9 +9,10 @@ require "./gitlab.cr" class Payload include JSON::Serializable - property kind : String + property kind : String property project : String property content : String + property secret : String = "" def initialize(req : HTTP::Request) @content = req.body.not_nil!.gets_to_end.to_s @@ -18,23 +22,40 @@ class Payload @kind = "gitea" content = Gitea::Payload.from_json @content @project = content.repository.full_name + @secret = content.secret elsif agent.starts_with?("GitHub-Hookshot/") && req.headers.has_key?("X-Github-Event") @kind = "github" content = Github::Payload.from_json @content @project = content.repository.full_name + hash = req.headers.fetch("X-Hub-Signature", "None") + if hash != "None" + @secret = hash.to_s + end elsif req.headers.has_key?("X-Gitlab-Event") @kind = "gitlab" content = Gitlab::Payload.from_json @content @project = content.project.path_with_namespace + token = req.headers.fetch("X-Gitlab-Token", "None") + if token != "None" + @secret = token.to_s + end else @kind = "undefined" @project = "undefined" - end + end + def check?(token) + pp token + pp @secret + if @kind == "github" + data = JSON.parse(@content).to_json + given_secret = "sha1=" + OpenSSL::HMAC.hexdigest(:sha1, @secret, data) + end + token == @secret end end diff --git a/src/webhooksd.cr b/src/webhooksd.cr index 585421a..72023f0 100644 --- a/src/webhooksd.cr +++ b/src/webhooksd.cr @@ -65,6 +65,7 @@ server = HTTP::Server.new do |context| path_project = storage + "/" + payload.project path_scriptfile = path_project + "/" + scriptname + path_token = path_project + "/token" path_jsonfile = path_project + "/" + jsonfile scriptfile = scriptname @@ -73,15 +74,18 @@ server = HTTP::Server.new do |context| if File.exists?(path_project) == false STDERR.puts "ERROR: Project #{payload.project} not found" - status = false else - if File.exists?(path_scriptfile) == false - scriptfile = path_project + "/../../../" + scriptfile_default - end + if !payload.check?(File.read_lines(path_token)[0]) + STDERR.puts "ERROR: Secret token not valid" + else + if File.exists?(path_scriptfile) == false + scriptfile = path_project + "/../../../" + scriptfile_default + end - File.write(path_jsonfile, payload.content) - status = Process.run command: "zsh", args: [scriptfile], shell: true, - error: STDERR, output: STDOUT, chdir: path_project + File.write(path_jsonfile, payload.content) + status = Process.run command: "zsh", args: [scriptfile], shell: true, + error: STDERR, output: STDOUT, chdir: path_project + end end context.response.content_type = "text/plain"