From aeb2105dc7273cf603ab8e86f7bc90780f96093f Mon Sep 17 00:00:00 2001 From: jazzari Date: Tue, 15 Aug 2023 19:25:06 -0300 Subject: [PATCH] fix: add rescue in token_from_signature method #13903 --- app/controllers/api/v1/webhooks_controller.rb | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index 20cc0ddc..0ecca9d7 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -9,6 +9,8 @@ module Api # Trae los cambios a partir de un post de Webhooks: # (Gitlab, Github, Gitea, etc) + # + # @return [nil] def pull message = I18n.with_locale(site.default_locale) do I18n.t('webhooks.pull.message') @@ -36,22 +38,27 @@ module Api request.headers['X-Gitlab-Token'] # Github elsif request.headers['X-HUB-SIGNATURE-256'] - request.env['HTTP_X_HUB_SIGNATURE_256'] + token_from_signature(request.env['HTTP_X_HUB_SIGNATURE_256']) # Gitea else - request.env['HTTP_X_GITEA_SIGNATURE'] + token_from_signatureq(request.env['HTTP_X_GITEA_SIGNATURE']) end end end # valida token a partir de firma de webhook # - # @return [String] + # @return [String, Boolean] def token_from_signature(signature) payload = request.body.read site.roles.where(temporal: false, rol: 'usuarie').pluck(:token).find do |token| new_signature = 'sha256=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), token, payload) ActiveSupport::SecurityUtils.secure_compare(new_signature, signature) + end.tap do |t| + raise ArgumentError, 'token no encontrado' if t.nil? + rescue ArgumentError => e + ExceptionNotifier.notify_exception(e, data: { params: params.to_h }) + raise ActiveRecord::RecordNotFound end end