archive_hook.sh/endpoints/index.php

<?php

// So first we need to deserialize the JSON to perform basic checks, so that we ensure:
//   - the `repository.html_url` has a corresponding hex-encoded /opt/forgehook/webhooks/


// check for POST request
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
    error_log('FAILED - not POST - '. $_SERVER['REQUEST_METHOD']);
    exit();
}

// get content type
$content_type = isset($_SERVER['CONTENT_TYPE']) ? strtolower(trim($_SERVER['CONTENT_TYPE'])) : '';

if ($content_type != 'application/json') {
    error_log('FAILED - not application/json - '. $content_type);
    exit();
}

// get payload
$payload = trim(file_get_contents("php://input"));

if (empty($payload)) {
    error_log('FAILED - no payload');
    exit();
}

// convert json to array
$decoded = json_decode($payload, true);

// check for json decode errors
if (json_last_error() !== JSON_ERROR_NONE) {
    error_log('FAILED - json decode - '. json_last_error());
    exit();
}

if (!isset($decoded["repository"]["html_url"])) {
	error_log('BULLSHIT');
	exit();
}

// Please no Remote Code Execution
$repo = escapeshellarg($decoded["repository"]["html_url"]);

$secret = shell_exec("forgehook secret ".$repo);

if ($secret == NULL) {
	error_log("Secret not found for ".$repo);
	exit();
}

$secret = str_replace("\n", "", $secret);

error_log("secret: ".$secret."END");


// get header signature
$header_signature = isset($_SERVER['HTTP_X_GITEA_SIGNATURE']) ? $_SERVER['HTTP_X_GITEA_SIGNATURE'] : '';

if (empty($header_signature)) {
    error_log('FAILED - header signature missing');
    exit();
}

// calculate payload signature
$payload_signature = hash_hmac('sha256', $payload, $secret, false);

// check payload signature against header signature
if ($header_signature != $payload_signature) {
    error_log('FAILED - payload signature');
    exit();
}

$output=shell_exec("forgehook-notify ".$repo);

if ($output != NULL) {
	error_log("Notify failed with:\n".$output);
}

error_log("OK");


?>