From 1b21180bf18fdc606c90c8b18cf04e9eb5a123d8 Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Thu, 5 Oct 2017 19:34:58 +0200 Subject: [PATCH 1/4] Check the hmac signature if possible --- lib/IRC/Client/Plugin/Github.pm6 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/IRC/Client/Plugin/Github.pm6 b/lib/IRC/Client/Plugin/Github.pm6 index 55e5afa..a2f93f0 100644 --- a/lib/IRC/Client/Plugin/Github.pm6 +++ b/lib/IRC/Client/Plugin/Github.pm6 @@ -33,6 +33,15 @@ class IRC::Client::Plugin::Github does IRC::Client::Plugin my %json = from-json(request.body); + # Check signature + if ($!config.has("github.webhook.secret") && request.headers:exists) { + my Str $hmac = "sha1=" ~ hmac-hex($!config.get("github.webhook.secret"), request.body, &sha1); + + if ($hmac ne request.headers) { + return ""; + } + } + # Make sure there are channels configured to notify my Str $repo-config-key = "github.webhook.repos.{%json.subst("/", "-")}.channels"; my Str @channels = $!config.get($repo-config-key) || $!config.get("github.webhook.channels", []).unique; From 2762edafc7f2225444eb32ea4a0e4c7815969bb0 Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Thu, 5 Oct 2017 19:38:26 +0200 Subject: [PATCH 2/4] Update readme to document the github.webhook.secret configuration key --- readme.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/readme.adoc b/readme.adoc index 4a0859f..5e1bca8 100644 --- a/readme.adoc +++ b/readme.adoc @@ -71,6 +71,11 @@ message-style = "privmsg" # repository's configuration key, this array will be used instead. channels = ["#scriptkitties"] +# A secret shared between the bot and the Github webhook. If set, HMAC +# verification will be employed. Messages failing this verification will be +# dropped. +secret = "" + # If set to true, it will notify for every repository that POSTs a payload to # the Bailador instance. Note this could be abused to spam through the bot. # When false, every repository should be properly defined if you want to see From fe1b1809fc29b42f6cf8e9387089d19ee327fe72 Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Thu, 5 Oct 2017 19:42:32 +0200 Subject: [PATCH 3/4] Include Digest::* dependencies --- META6.json | 2 ++ lib/IRC/Client/Plugin/Github.pm6 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/META6.json b/META6.json index 0ad46b5..97f378e 100644 --- a/META6.json +++ b/META6.json @@ -8,6 +8,8 @@ "depends": [ "Bailador", "Config", + "Digest::SHA", + "Digest::HMAC", "IRC::Client" ], "provides": { diff --git a/lib/IRC/Client/Plugin/Github.pm6 b/lib/IRC/Client/Plugin/Github.pm6 index a2f93f0..5aad2bb 100644 --- a/lib/IRC/Client/Plugin/Github.pm6 +++ b/lib/IRC/Client/Plugin/Github.pm6 @@ -4,6 +4,8 @@ use v6.c; use Bailador; use Config; +use Digest::HMAC; +use Digest::SHA; use IRC::Client; use IRC::Client::Plugin::Github::WebhookEvents::IssueComment; use IRC::Client::Plugin::Github::WebhookEvents::Issues; From bf5e65607ccd360e20b3b3a58125c3f002df3849 Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Thu, 5 Oct 2017 19:46:30 +0200 Subject: [PATCH 4/4] Sort the dependencies in META6.json --- META6.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/META6.json b/META6.json index 97f378e..a16be25 100644 --- a/META6.json +++ b/META6.json @@ -8,8 +8,8 @@ "depends": [ "Bailador", "Config", - "Digest::SHA", "Digest::HMAC", + "Digest::SHA", "IRC::Client" ], "provides": {