CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-09-30 17:26:48 +13:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6162 from appwrite/fix-webhook-secret-validation

Browse source 
Fix webhook secret validation and executor path validation
This commit is contained in:
Christy Jacob 2023-09-06 13:59:13 -04:00 committed by GitHub
commit 12b03f3fb0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/api/functions.php
View file

@ -1496,7 +1496,7 @@ App::post('/v1/functions/:functionId/executions')
->param('functionId', '', new UID(), 'Function ID.')
->param('body', '', new Text(8192, 0), 'HTTP body of execution. Default value is empty string.', true)
->param('async', false, new Boolean(), 'Execute code in the background. Default value is false.', true)
->param('path', '/', new Text(2048, 0), 'HTTP path of execution. Path can include query params. Default value is /', true)
->param('path', '/', new Text(2048), 'HTTP path of execution. Path can include query params. Default value is /', true)
->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'], true), 'HTTP method of execution. Default value is GET.', true)
->param('headers', [], new Assoc(), 'HTTP headers of execution. Defaults to empty.', true)
->inject('response')

8
app/controllers/api/vcs.php
View file

@ -789,14 +789,14 @@ App::post('/v1/vcs/github/events')
->inject('getProjectDB')
->action(
function (GitHub $github, Request $request, Response $response, Database $dbForConsole, callable $getProjectDB) use ($createGitDeployments) {
$signature = $request->getHeader('x-hub-signature-256', '');
$payload = $request->getRawPayload();
$signatureRemote = $request->getHeader('x-hub-signature-256', '');
$signatureLocal = App::getEnv('_APP_VCS_GITHUB_WEBHOOK_SECRET', '');
$signatureKey = App::getEnv('_APP_VCS_GITHUB_WEBHOOK_SECRET', '');
$valid = empty($signatureRemote) ? true : $github->validateWebhookEvent($payload, $signatureRemote, $signatureLocal);
$valid = $github->validateWebhookEvent($payload, $signature, $signatureKey);
if (!$valid) {
throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, "Invalid webhook signature.");
throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, "Invalid webhook payload signature. Please make sure the webhook secret has same value in your GitHub app and in the _APP_VCS_GITHUB_WEBHOOK_SECRET environment variable");
}
$event = $request->getHeader('x-github-event', '');