diff --git a/META6.json b/META6.json index 0ad46b5..a16be25 100644 --- a/META6.json +++ b/META6.json @@ -8,6 +8,8 @@ "depends": [ "Bailador", "Config", + "Digest::HMAC", + "Digest::SHA", "IRC::Client" ], "provides": { diff --git a/lib/IRC/Client/Plugin/Github.pm6 b/lib/IRC/Client/Plugin/Github.pm6 index 55e5afa..5aad2bb 100644 --- a/lib/IRC/Client/Plugin/Github.pm6 +++ b/lib/IRC/Client/Plugin/Github.pm6 @@ -4,6 +4,8 @@ use v6.c; use Bailador; use Config; +use Digest::HMAC; +use Digest::SHA; use IRC::Client; use IRC::Client::Plugin::Github::WebhookEvents::IssueComment; use IRC::Client::Plugin::Github::WebhookEvents::Issues; @@ -33,6 +35,15 @@ class IRC::Client::Plugin::Github does IRC::Client::Plugin my %json = from-json(request.body); + # Check signature + if ($!config.has("github.webhook.secret") && request.headers:exists) { + my Str $hmac = "sha1=" ~ hmac-hex($!config.get("github.webhook.secret"), request.body, &sha1); + + if ($hmac ne request.headers) { + return ""; + } + } + # Make sure there are channels configured to notify my Str $repo-config-key = "github.webhook.repos.{%json.subst("/", "-")}.channels"; my Str @channels = $!config.get($repo-config-key) || $!config.get("github.webhook.channels", []).unique; diff --git a/readme.adoc b/readme.adoc index 4a0859f..5e1bca8 100644 --- a/readme.adoc +++ b/readme.adoc @@ -71,6 +71,11 @@ message-style = "privmsg" # repository's configuration key, this array will be used instead. channels = ["#scriptkitties"] +# A secret shared between the bot and the Github webhook. If set, HMAC +# verification will be employed. Messages failing this verification will be +# dropped. +secret = "" + # If set to true, it will notify for every repository that POSTs a payload to # the Bailador instance. Note this could be abused to spam through the bot. # When false, every repository should be properly defined if you want to see