From 1b21180bf18fdc606c90c8b18cf04e9eb5a123d8 Mon Sep 17 00:00:00 2001
From: Patrick Spek
Date: Thu, 5 Oct 2017 19:34:58 +0200
Subject: [PATCH 1/4] Check the hmac signature if possible
---
lib/IRC/Client/Plugin/Github.pm6 | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/IRC/Client/Plugin/Github.pm6 b/lib/IRC/Client/Plugin/Github.pm6
index 55e5afa..a2f93f0 100644
--- a/lib/IRC/Client/Plugin/Github.pm6
+++ b/lib/IRC/Client/Plugin/Github.pm6
@@ -33,6 +33,15 @@ class IRC::Client::Plugin::Github does IRC::Client::Plugin
my %json = from-json(request.body);
+ # Check signature
+ if ($!config.has("github.webhook.secret") && request.headers:exists) {
+ my Str $hmac = "sha1=" ~ hmac-hex($!config.get("github.webhook.secret"), request.body, &sha1);
+
+ if ($hmac ne request.headers) {
+ return "";
+ }
+ }
+
# Make sure there are channels configured to notify
my Str $repo-config-key = "github.webhook.repos.{%json.subst("/", "-")}.channels";
my Str @channels = $!config.get($repo-config-key) || $!config.get("github.webhook.channels", []).unique;
From 2762edafc7f2225444eb32ea4a0e4c7815969bb0 Mon Sep 17 00:00:00 2001
From: Patrick Spek
Date: Thu, 5 Oct 2017 19:38:26 +0200
Subject: [PATCH 2/4] Update readme to document the github.webhook.secret
configuration key
---
readme.adoc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/readme.adoc b/readme.adoc
index 4a0859f..5e1bca8 100644
--- a/readme.adoc
+++ b/readme.adoc
@@ -71,6 +71,11 @@ message-style = "privmsg"
# repository's configuration key, this array will be used instead.
channels = ["#scriptkitties"]
+# A secret shared between the bot and the Github webhook. If set, HMAC
+# verification will be employed. Messages failing this verification will be
+# dropped.
+secret = ""
+
# If set to true, it will notify for every repository that POSTs a payload to
# the Bailador instance. Note this could be abused to spam through the bot.
# When false, every repository should be properly defined if you want to see
From fe1b1809fc29b42f6cf8e9387089d19ee327fe72 Mon Sep 17 00:00:00 2001
From: Patrick Spek
Date: Thu, 5 Oct 2017 19:42:32 +0200
Subject: [PATCH 3/4] Include Digest::* dependencies
---
META6.json | 2 ++
lib/IRC/Client/Plugin/Github.pm6 | 2 ++
2 files changed, 4 insertions(+)
diff --git a/META6.json b/META6.json
index 0ad46b5..97f378e 100644
--- a/META6.json
+++ b/META6.json
@@ -8,6 +8,8 @@
"depends": [
"Bailador",
"Config",
+ "Digest::SHA",
+ "Digest::HMAC",
"IRC::Client"
],
"provides": {
diff --git a/lib/IRC/Client/Plugin/Github.pm6 b/lib/IRC/Client/Plugin/Github.pm6
index a2f93f0..5aad2bb 100644
--- a/lib/IRC/Client/Plugin/Github.pm6
+++ b/lib/IRC/Client/Plugin/Github.pm6
@@ -4,6 +4,8 @@ use v6.c;
use Bailador;
use Config;
+use Digest::HMAC;
+use Digest::SHA;
use IRC::Client;
use IRC::Client::Plugin::Github::WebhookEvents::IssueComment;
use IRC::Client::Plugin::Github::WebhookEvents::Issues;
From bf5e65607ccd360e20b3b3a58125c3f002df3849 Mon Sep 17 00:00:00 2001
From: Patrick Spek
Date: Thu, 5 Oct 2017 19:46:30 +0200
Subject: [PATCH 4/4] Sort the dependencies in META6.json
---
META6.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/META6.json b/META6.json
index 97f378e..a16be25 100644
--- a/META6.json
+++ b/META6.json
@@ -8,8 +8,8 @@
"depends": [
"Bailador",
"Config",
- "Digest::SHA",
"Digest::HMAC",
+ "Digest::SHA",
"IRC::Client"
],
"provides": {