Add Gogs signature check — untested

This commit is contained in:
Théophile Bastian 2018-03-03 02:31:54 +01:00
parent 16b8d64913
commit dfa4359f23
2 changed files with 24 additions and 3 deletions

View file

@ -5,6 +5,8 @@ A webhook-handler for Gogs running `make` when needed. """
import os
import sys
import subprocess
import hmac
from hashlib import sha256
from threading import Thread
from functools import wraps
from flask import Flask, request
@ -77,13 +79,18 @@ def update_repo(hook, clone_url):
raise GitError("Cannot clone {}".format(clone_url))
def check_signature(received_sig, hook, payload):
''' Check Gogs signature '''
digest = hmac.new(hook.secret,
msg=payload,
digestmod=sha256).digest()
return hmac.compare_digest(digest, received_sig)
def gogs_payload(required):
def wrapper(fct):
@wraps(fct)
def wrapped(*args, **kwargs):
# TODO: check signature
# payload_raw = request.data
payload = request.json
if payload is None:
return 'Expected json\n', 415
@ -104,6 +111,12 @@ def gogs_payload(required):
except UnmonitoredRepository:
return 'Unmonitored repository\n', 403
if not settings.DEBUG:
received_sig = request.headers['X-Gogs-Signature']
payload_raw = request.data
if not check_signature(received_sig, hook, payload_raw):
return 'Invaild signature\n', 403
return fct(payload, hook, *args, **kwargs)
return wrapped
return wrapper

View file

@ -1,5 +1,9 @@
''' GogsMaker settings '''
# Debug mode. **ALWAYS** leave to False in production, this allows remote code
# execution
DEBUG = False
# List of the repositories to work on
HOOKS = [
{
@ -12,11 +16,15 @@ HOOKS = [
# Make targets to be invoked
'targets': ['all'],
# Shared secret with Gogs
'secret': 'shooW8IRei5pah7lahMe',
},
{
'name': 'test-repo',
'url': 'tests/simple-repo',
'targets': ['date', 'touch'],
'secret': 'mi5aesh8eiS6sileiGha',
},
]