aboutsummaryrefslogtreecommitdiff
path: root/mod/mod-ci-github.cxx
diff options
context:
space:
mode:
Diffstat (limited to 'mod/mod-ci-github.cxx')
-rw-r--r--mod/mod-ci-github.cxx110
1 files changed, 104 insertions, 6 deletions
diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx
index e19a41b..7cdc01d 100644
--- a/mod/mod-ci-github.cxx
+++ b/mod/mod-ci-github.cxx
@@ -7,6 +7,7 @@
#include <libbutl/json/parser.hxx>
#include <mod/jwt.hxx>
+#include <mod/hmac.hxx>
#include <mod/module-options.hxx>
#include <stdexcept>
@@ -64,10 +65,12 @@ namespace brep
HANDLER_DIAG;
- // @@ TODO: disable service if HMAC is not specified in config.
- //
- if (false)
+ if (!options_->ci_github_app_webhook_secret_specified ())
+ {
+ error << "webhook secret not configured";
+
throw invalid_request (404, "CI request submission disabled");
+ }
// Process headers.
//
@@ -80,15 +83,26 @@ namespace brep
// we already do for the most part), and "webhook event" only when
// more context would be useful?
//
- string event; // Webhook event.
+ string event; // Webhook event.
+ string r_hmac; // Received HMAC.
{
bool content_type (false);
for (const name_value& h: rq.headers ())
{
+ // HMAC authenticating this request. Note that it won't be present
+ // unless a webhook secret has been set in the GitHub app's settings.
+ //
+ if (icasecmp (h.name, "x-hub-signature-256") == 0)
+ {
+ if (!h.value)
+ throw invalid_request (400, "missing x-hub-signature-256 value");
+
+ r_hmac = *h.value;
+ }
// This event's UUID.
//
- if (icasecmp (h.name, "x-github-delivery") == 0)
+ else if (icasecmp (h.name, "x-github-delivery") == 0)
{
// @@ TODO Check that delivery UUID has not been received before
// (replay attack).
@@ -118,6 +132,21 @@ namespace brep
}
}
+ // Parse the x-hub-signature-256 header value. For example:
+ //
+ // sha256=5e822587094c68e646db8b916da1db2056d92f1dea4252136a533b4147a30cb7
+ //
+ // Check for the presence of the "sha256=" prefix and then strip it to
+ // leave only the HMAC.
+ //
+ if (r_hmac.find ("sha256=", 0, 7) == string::npos)
+ {
+ throw invalid_request (400,
+ "invalid x-hub-signature-256 value: '" +
+ r_hmac + '\'');
+ }
+ r_hmac = r_hmac.substr (7);
+
if (!content_type)
throw invalid_request (400, "missing content-type header");
@@ -125,6 +154,75 @@ namespace brep
throw invalid_request (400, "missing x-github-event header");
}
+ // Read the entire request body into a buffer because we need to compute
+ // an HMAC over it and then parse it as JSON. The alternative of reading
+ // from the stream twice works out to be more complicated and expensive.
+ //
+ // @@ TMP Although it is possible (with a bit of work) to rewind the
+ // request's input stream, in that case we'd have to read from it
+ // twice (once for the HMAC and once for the JSON parsing) instead
+ // of just this once, temp buffer(s) would be necessary, and we'd
+ // still be storing the entire request body in memory anyway (just
+ // not here).
+ //
+ vector<char> body;
+ {
+ // Note: buffer=0 disables caching.
+ //
+ istream& is (rq.content (64 * 1024, 0 /* buffer */));
+
+ // Note that istream::read() sets failbit if unable to read the
+ // requested number of bytes.
+ //
+ is.exceptions (istream::badbit);
+
+ try
+ {
+ size_t n (0); // Total bytes read.
+
+ while (!eof (is))
+ {
+ body.resize (n + 8192);
+ is.read (body.data () + n, 8192);
+ n += is.gcount ();
+ }
+
+ body.resize (n);
+ }
+ catch (const io_error& e)
+ {
+ fail << "unable to read request body: " << e;
+ }
+ }
+
+ // Verify the received HMAC.
+ //
+ // Compute the HMAC over the request body using the configured webhook
+ // secret as key and compare it to the received HMAC.
+ //
+ try
+ {
+ string hmac (
+ compute_hmac (*options_,
+ body,
+ options_->ci_github_app_webhook_secret ().c_str ()));
+
+ // @@ TODO GitHub recommends constant-time comparison (timing attack).
+ //
+ if (!icasecmp (hmac, r_hmac))
+ {
+ string m ("computed HMAC does not match received HMAC");
+
+ error << m;
+
+ throw invalid_request (400, move (m));
+ }
+ }
+ catch (const system_error& e)
+ {
+ fail << "unable to compute request HMAC: " << e;
+ }
+
// There is a webhook event (specified in the x-github-event header) and
// each event contains a bunch of actions (specified in the JSON request
// body).
@@ -140,7 +238,7 @@ namespace brep
check_suite_event cs;
try
{
- json::parser p (rq.content (64 * 1024), "check_suite event");
+ json::parser p (body.data (), body.size (), "check_suite event");
cs = check_suite_event (p);
}