Check local signature (TODO: sanitize input!!!!!!!!)
This commit is contained in:
parent
8fb1786c18
commit
299d1784e9
|
|
@ -2,10 +2,7 @@
|
|||
|
||||
// So first we need to deserialize the JSON to perform basic checks, so that we ensure:
|
||||
// - the `repository.html_url` has a corresponding hex-encoded /opt/forgehook/webhooks/
|
||||
echo "bonjour de PHP";
|
||||
exit();
|
||||
|
||||
$secret_key = '123';
|
||||
|
||||
// check for POST request
|
||||
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
|
||||
|
|
@ -29,23 +26,6 @@ if (empty($payload)) {
|
|||
exit();
|
||||
}
|
||||
|
||||
// get header signature
|
||||
$header_signature = isset($_SERVER['HTTP_X_GITEA_SIGNATURE']) ? $_SERVER['HTTP_X_GITEA_SIGNATURE'] : '';
|
||||
|
||||
if (empty($header_signature)) {
|
||||
error_log('FAILED - header signature missing');
|
||||
exit();
|
||||
}
|
||||
|
||||
// calculate payload signature
|
||||
$payload_signature = hash_hmac('sha256', $payload, $secret_key, false);
|
||||
|
||||
// check payload signature against header signature
|
||||
if ($header_signature != $payload_signature) {
|
||||
error_log('FAILED - payload signature');
|
||||
exit();
|
||||
}
|
||||
|
||||
// convert json to array
|
||||
$decoded = json_decode($payload, true);
|
||||
|
||||
|
|
@ -55,4 +35,50 @@ if (json_last_error() !== JSON_ERROR_NONE) {
|
|||
exit();
|
||||
}
|
||||
|
||||
if (!isset($decoded["repository"]["html_url"])) {
|
||||
error_log('BULLSHIT');
|
||||
exit();
|
||||
}
|
||||
|
||||
$repo = $decoded["repository"]["html_url"];
|
||||
|
||||
// TODO: looks dangerous but i have no clue what PHP is doing here
|
||||
$secret = shell_exec("forgehook secret ".$repo);
|
||||
|
||||
if ($secret == NULL) {
|
||||
error_log("Secret not found for ".$repo);
|
||||
exit();
|
||||
}
|
||||
|
||||
$secret = str_replace("\n", "", $secret);
|
||||
|
||||
error_log("secret: ".$secret."END");
|
||||
|
||||
|
||||
// get header signature
|
||||
$header_signature = isset($_SERVER['HTTP_X_GITEA_SIGNATURE']) ? $_SERVER['HTTP_X_GITEA_SIGNATURE'] : '';
|
||||
|
||||
if (empty($header_signature)) {
|
||||
error_log('FAILED - header signature missing');
|
||||
exit();
|
||||
}
|
||||
|
||||
// calculate payload signature
|
||||
$payload_signature = hash_hmac('sha256', $payload, $secret, false);
|
||||
|
||||
// check payload signature against header signature
|
||||
if ($header_signature != $payload_signature) {
|
||||
error_log('FAILED - payload signature');
|
||||
exit();
|
||||
}
|
||||
|
||||
$output=shell_exec("forgehook-notify ".$repo);
|
||||
|
||||
if ($output != NULL) {
|
||||
error_log("Notify failed with:\n".$output);
|
||||
}
|
||||
|
||||
error_log("OK");
|
||||
|
||||
|
||||
?>
|
||||
|
|
|
|||
Reference in New Issue