Add Gogs signature check — untested

2018-03-03 02:31:54 +01:00 · 2018-03-03 02:31:54 +01:00 · dfa4359f23
parent 16b8d64913
commit dfa4359f23
2 changed files with 24 additions and 3 deletions
--- a/gogsmaker.py
+++ b/gogsmaker.py
@ -5,6 +5,8 @@ A webhook-handler for Gogs running `make` when needed. """
 import os
 import sys
 import subprocess
+import hmac
+from hashlib import sha256
 from threading import Thread
 from functools import wraps
 from flask import Flask, request
@ -77,13 +79,18 @@ def update_repo(hook, clone_url):
            raise GitError("Cannot clone {}".format(clone_url))


+def check_signature(received_sig, hook, payload):
+    ''' Check Gogs signature '''
+    digest = hmac.new(hook.secret,
+                      msg=payload,
+                      digestmod=sha256).digest()
+    return hmac.compare_digest(digest, received_sig)
+
+
 def gogs_payload(required):
    def wrapper(fct):
        @wraps(fct)
        def wrapped(*args, **kwargs):
-            # TODO: check signature
-            # payload_raw = request.data
-
            payload = request.json
            if payload is None:
                return 'Expected json\n', 415
@ -104,6 +111,12 @@ def gogs_payload(required):
            except UnmonitoredRepository:
                return 'Unmonitored repository\n', 403

+            if not settings.DEBUG:
+                received_sig = request.headers['X-Gogs-Signature']
+                payload_raw = request.data
+                if not check_signature(received_sig, hook, payload_raw):
+                    return 'Invaild signature\n', 403
+
            return fct(payload, hook, *args, **kwargs)
        return wrapped
    return wrapper
--- a/settings.default.py
+++ b/settings.default.py
@ -1,5 +1,9 @@
 ''' GogsMaker settings '''

+# Debug mode. **ALWAYS** leave to False in production, this allows remote code
+# execution
+DEBUG = False
+
 # List of the repositories to work on
 HOOKS = [
    {
@ -12,11 +16,15 @@ HOOKS = [

        # Make targets to be invoked
        'targets': ['all'],
+
+        # Shared secret with Gogs
+        'secret': 'shooW8IRei5pah7lahMe',
    },
    {
        'name': 'test-repo',
        'url': 'tests/simple-repo',
        'targets': ['date', 'touch'],
+        'secret': 'mi5aesh8eiS6sileiGha',
    },
 ]