1+ import hashlib
2+ import hmac
13import json
24import sys
35
1113import waitress
1214
1315
14- def create_app (config ):
16+ def create_app (config , webhook_secret = None ):
1517 app = flask .Flask (__name__ )
1618
1719 # The canonical URL is /webhook, but other URLs are accepted for backward
@@ -20,6 +22,20 @@ def create_app(config):
2022 @app .route ("/newpr.py" , methods = ['POST' ])
2123 @app .route ("/highfive/newpr.py" , methods = ['POST' ])
2224 def new_pr ():
25+ raw_data = flask .request .get_data ()
26+
27+ # Check the signature only if the secret is configured
28+ if 'payload' in flask .request .form and webhook_secret is not None :
29+ expected = hmac .new (str (webhook_secret ), digestmod = hashlib .sha1 )
30+ expected .update (raw_data )
31+ expected = expected .hexdigest ()
32+ try :
33+ signature = str (flask .request .headers ['X-Hub-Signature' ])
34+ except KeyError :
35+ return 'Error: missing signature\n ' , 400
36+ if not hmac .compare_digest ('sha1=' + expected , signature ):
37+ return 'Error: invalid signature\n ' , 403
38+
2339 try :
2440 payload = json .loads (flask .request .form ['payload' ])
2541 except (KeyError , ValueError ), _ :
@@ -40,15 +56,16 @@ def index():
4056@click .command ()
4157@click .option ('--port' , default = 8000 )
4258@click .option ('--github-token' , required = True )
43- def cli (port , github_token ):
59+ @click .option ("--webhook-secret" )
60+ def cli (port , github_token , webhook_secret ):
4461 try :
4562 config = Config (github_token )
4663 except InvalidTokenException :
4764 print 'error: invalid github token provided!'
4865 sys .exit (1 )
4966 print 'Found a valid GitHub token for user @' + config .github_username
5067
51- app = create_app (config )
68+ app = create_app (config , webhook_secret )
5269 waitress .serve (app , port = port )
5370
5471
0 commit comments