From 45c1537f2e28b1494d2e7d37d8b9880ba3c85936 Mon Sep 17 00:00:00 2001
From: justusbunsi <sk.bunsenbrenner@gmail.com>
Date: Sun, 15 May 2022 21:08:01 +0200
Subject: [PATCH] Add webhook signature validation for Gitea

Signed-off-by: Steven Kriegler <sk.bunsenbrenner@gmail.com>
---
 internal/api/gitea.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/internal/api/gitea.go b/internal/api/gitea.go
index c96ffbc..afd8a74 100644
--- a/internal/api/gitea.go
+++ b/internal/api/gitea.go
@@ -9,6 +9,7 @@ import (
 
 	giteaSdk "gitea-sonarqube-pr-bot/internal/clients/gitea"
 	sqSdk "gitea-sonarqube-pr-bot/internal/clients/sonarqube"
+	"gitea-sonarqube-pr-bot/internal/settings"
 	webhook "gitea-sonarqube-pr-bot/internal/webhooks/gitea"
 )
 
@@ -42,6 +43,14 @@ func (h *GiteaWebhookHandler) HandleSynchronize(rw http.ResponseWriter, r *http.
 		return
 	}
 
+	ok, err := isValidWebhook(raw, settings.Gitea.Webhook.Secret, r.Header.Get("X-Gitea-Signature"), "Gitea")
+	if !ok {
+		log.Print(err.Error())
+		rw.WriteHeader(http.StatusPreconditionFailed)
+		io.WriteString(rw, fmt.Sprint(`{"message": "Webhook validation failed. Request rejected."}`))
+		return
+	}
+
 	w, ok := webhook.NewPullWebhook(raw)
 	if !ok {
 		rw.WriteHeader(http.StatusUnprocessableEntity)
@@ -69,6 +78,14 @@ func (h *GiteaWebhookHandler) HandleComment(rw http.ResponseWriter, r *http.Requ
 		return
 	}
 
+	ok, err := isValidWebhook(raw, settings.Gitea.Webhook.Secret, r.Header.Get("X-Gitea-Signature"), "Gitea")
+	if !ok {
+		log.Print(err.Error())
+		rw.WriteHeader(http.StatusPreconditionFailed)
+		io.WriteString(rw, fmt.Sprint(`{"message": "Webhook validation failed. Request rejected."}`))
+		return
+	}
+
 	w, ok := webhook.NewCommentWebhook(raw)
 	if !ok {
 		rw.WriteHeader(http.StatusUnprocessableEntity)