Add signatures to webhooks (#6428)

This commit is contained in:
techknowlogick 2019-03-25 20:08:55 -04:00 committed by GitHub
parent 909feaafa7
commit 22d3d029e6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -6,7 +6,10 @@
package models package models
import ( import (
"crypto/hmac"
"crypto/sha256"
"crypto/tls" "crypto/tls"
"encoding/hex"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@ -101,6 +104,7 @@ type Webhook struct {
RepoID int64 `xorm:"INDEX"` RepoID int64 `xorm:"INDEX"`
OrgID int64 `xorm:"INDEX"` OrgID int64 `xorm:"INDEX"`
URL string `xorm:"url TEXT"` URL string `xorm:"url TEXT"`
Signature string `xorm:"TEXT"`
ContentType HookContentType ContentType HookContentType
Secret string `xorm:"TEXT"` Secret string `xorm:"TEXT"`
Events string `xorm:"TEXT"` Events string `xorm:"TEXT"`
@ -529,6 +533,7 @@ type HookTask struct {
UUID string UUID string
Type HookTaskType Type HookTaskType
URL string `xorm:"TEXT"` URL string `xorm:"TEXT"`
Signature string `xorm:"TEXT"`
api.Payloader `xorm:"-"` api.Payloader `xorm:"-"`
PayloadContent string `xorm:"TEXT"` PayloadContent string `xorm:"TEXT"`
ContentType HookContentType ContentType HookContentType
@ -657,11 +662,23 @@ func prepareWebhook(e Engine, w *Webhook, repo *Repository, event HookEventType,
payloader = p payloader = p
} }
var signature string
if len(w.Secret) > 0 {
data, err := payloader.JSONPayload()
if err != nil {
log.Error(2, "prepareWebhooks.JSONPayload: %v", err)
}
sig := hmac.New(sha256.New, []byte(w.Secret))
sig.Write(data)
signature = hex.EncodeToString(sig.Sum(nil))
}
if err = createHookTask(e, &HookTask{ if err = createHookTask(e, &HookTask{
RepoID: repo.ID, RepoID: repo.ID,
HookID: w.ID, HookID: w.ID,
Type: w.HookTaskType, Type: w.HookTaskType,
URL: w.URL, URL: w.URL,
Signature: signature,
Payloader: payloader, Payloader: payloader,
ContentType: w.ContentType, ContentType: w.ContentType,
EventType: event, EventType: event,
@ -712,8 +729,10 @@ func (t *HookTask) deliver() {
req := httplib.Post(t.URL).SetTimeout(timeout, timeout). req := httplib.Post(t.URL).SetTimeout(timeout, timeout).
Header("X-Gitea-Delivery", t.UUID). Header("X-Gitea-Delivery", t.UUID).
Header("X-Gitea-Event", string(t.EventType)). Header("X-Gitea-Event", string(t.EventType)).
Header("X-Gitea-Signature", t.Signature).
Header("X-Gogs-Delivery", t.UUID). Header("X-Gogs-Delivery", t.UUID).
Header("X-Gogs-Event", string(t.EventType)). Header("X-Gogs-Event", string(t.EventType)).
Header("X-Gogs-Signature", t.Signature).
HeaderWithSensitiveCase("X-GitHub-Delivery", t.UUID). HeaderWithSensitiveCase("X-GitHub-Delivery", t.UUID).
HeaderWithSensitiveCase("X-GitHub-Event", string(t.EventType)). HeaderWithSensitiveCase("X-GitHub-Event", string(t.EventType)).
SetTLSClientConfig(&tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify}) SetTLSClientConfig(&tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify})