Add webhook signature validation for Gitea

Signed-off-by: Steven Kriegler <sk.bunsenbrenner@gmail.com>
2022-05-15 21:08:01 +02:00 · 2022-05-15 21:08:01 +02:00 · 45c1537f2e
parent e5eaa0a593
commit 45c1537f2e
1 changed files with 17 additions and 0 deletions
--- a/internal/api/gitea.go
+++ b/internal/api/gitea.go
@ -9,6 +9,7 @@ import (

 	giteaSdk "gitea-sonarqube-pr-bot/internal/clients/gitea"
 	sqSdk "gitea-sonarqube-pr-bot/internal/clients/sonarqube"
+	"gitea-sonarqube-pr-bot/internal/settings"
 	webhook "gitea-sonarqube-pr-bot/internal/webhooks/gitea"
 )

@ -42,6 +43,14 @@ func (h *GiteaWebhookHandler) HandleSynchronize(rw http.ResponseWriter, r *http.
 		return
 	}

+	ok, err := isValidWebhook(raw, settings.Gitea.Webhook.Secret, r.Header.Get("X-Gitea-Signature"), "Gitea")
+	if !ok {
+		log.Print(err.Error())
+		rw.WriteHeader(http.StatusPreconditionFailed)
+		io.WriteString(rw, fmt.Sprint(`{"message": "Webhook validation failed. Request rejected."}`))
+		return
+	}
+
 	w, ok := webhook.NewPullWebhook(raw)
 	if !ok {
 		rw.WriteHeader(http.StatusUnprocessableEntity)
@ -69,6 +78,14 @@ func (h *GiteaWebhookHandler) HandleComment(rw http.ResponseWriter, r *http.Requ
 		return
 	}

+	ok, err := isValidWebhook(raw, settings.Gitea.Webhook.Secret, r.Header.Get("X-Gitea-Signature"), "Gitea")
+	if !ok {
+		log.Print(err.Error())
+		rw.WriteHeader(http.StatusPreconditionFailed)
+		io.WriteString(rw, fmt.Sprint(`{"message": "Webhook validation failed. Request rejected."}`))
+		return
+	}
+
 	w, ok := webhook.NewCommentWebhook(raw)
 	if !ok {
 		rw.WriteHeader(http.StatusUnprocessableEntity)