Merge pull request #6162 from appwrite/fix-webhook-secret-validation
Fix webhook secret validation and executor path validation
This commit is contained in:
commit
12b03f3fb0
2 changed files with 5 additions and 5 deletions
|
@ -1496,7 +1496,7 @@ App::post('/v1/functions/:functionId/executions')
|
||||||
->param('functionId', '', new UID(), 'Function ID.')
|
->param('functionId', '', new UID(), 'Function ID.')
|
||||||
->param('body', '', new Text(8192, 0), 'HTTP body of execution. Default value is empty string.', true)
|
->param('body', '', new Text(8192, 0), 'HTTP body of execution. Default value is empty string.', true)
|
||||||
->param('async', false, new Boolean(), 'Execute code in the background. Default value is false.', true)
|
->param('async', false, new Boolean(), 'Execute code in the background. Default value is false.', true)
|
||||||
->param('path', '/', new Text(2048, 0), 'HTTP path of execution. Path can include query params. Default value is /', true)
|
->param('path', '/', new Text(2048), 'HTTP path of execution. Path can include query params. Default value is /', true)
|
||||||
->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'], true), 'HTTP method of execution. Default value is GET.', true)
|
->param('method', 'POST', new Whitelist(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'], true), 'HTTP method of execution. Default value is GET.', true)
|
||||||
->param('headers', [], new Assoc(), 'HTTP headers of execution. Defaults to empty.', true)
|
->param('headers', [], new Assoc(), 'HTTP headers of execution. Defaults to empty.', true)
|
||||||
->inject('response')
|
->inject('response')
|
||||||
|
|
|
@ -789,14 +789,14 @@ App::post('/v1/vcs/github/events')
|
||||||
->inject('getProjectDB')
|
->inject('getProjectDB')
|
||||||
->action(
|
->action(
|
||||||
function (GitHub $github, Request $request, Response $response, Database $dbForConsole, callable $getProjectDB) use ($createGitDeployments) {
|
function (GitHub $github, Request $request, Response $response, Database $dbForConsole, callable $getProjectDB) use ($createGitDeployments) {
|
||||||
$signature = $request->getHeader('x-hub-signature-256', '');
|
|
||||||
$payload = $request->getRawPayload();
|
$payload = $request->getRawPayload();
|
||||||
|
$signatureRemote = $request->getHeader('x-hub-signature-256', '');
|
||||||
|
$signatureLocal = App::getEnv('_APP_VCS_GITHUB_WEBHOOK_SECRET', '');
|
||||||
|
|
||||||
$signatureKey = App::getEnv('_APP_VCS_GITHUB_WEBHOOK_SECRET', '');
|
$valid = empty($signatureRemote) ? true : $github->validateWebhookEvent($payload, $signatureRemote, $signatureLocal);
|
||||||
|
|
||||||
$valid = $github->validateWebhookEvent($payload, $signature, $signatureKey);
|
|
||||||
if (!$valid) {
|
if (!$valid) {
|
||||||
throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, "Invalid webhook signature.");
|
throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, "Invalid webhook payload signature. Please make sure the webhook secret has same value in your GitHub app and in the _APP_VCS_GITHUB_WEBHOOK_SECRET environment variable");
|
||||||
}
|
}
|
||||||
|
|
||||||
$event = $request->getHeader('x-github-event', '');
|
$event = $request->getHeader('x-github-event', '');
|
||||||
|
|
Loading…
Reference in a new issue