Add vcs webhook verification

2024-09-28 15:31:43 +12:00 · 2023-06-15 12:37:28 +02:00 · 2023-06-15 12:37:28 +02:00 · 7d79e4146f
commit 7d79e4146f
parent 3cc3fb316c
4 changed files with 16 additions and 5 deletions
--- a/.env
+++ b/.env
@ -83,4 +83,5 @@ _APP_CONSOLE_GITHUB_SECRET=
 _APP_CONSOLE_GITHUB_APP_ID=
 VCS_GITHUB_APP_NAME=
 VCS_GITHUB_PRIVATE_KEY=
-VCS_GITHUB_APP_ID=
+VCS_GITHUB_APP_ID=
+VCS_GITHUB_WEBHOOK_SECRET=
--- a/app/controllers/api/vcs.php
+++ b/app/controllers/api/vcs.php
@ -401,8 +401,17 @@ App::post('/v1/vcs/github/incomingwebhook')
    ->inject('getProjectDB')
    ->action(
        function (GitHub $github, Request $request, Response $response, Database $dbForConsole, callable $getProjectDB) use ($createGitDeployments) {
-            $event = $request->getHeader('x-github-event', '');
+            $signature = $request->getHeader('x-hub-signature-256', '');
            $payload = $request->getRawPayload();
+
+            $signatureKey = App::getEnv('VCS_GITHUB_WEBHOOK_SECRET', '');
+            
+            $valid = $github->validateWebhook($payload, $signature, $signatureKey);
+            if(!$valid) {
+                throw new Exception(Exception::GENERAL_ACCESS_FORBIDDEN, "Invalid webhook signature.");
+            }
+
+            $event = $request->getHeader('x-github-event', '');
            $privateKey = App::getEnv('VCS_GITHUB_PRIVATE_KEY');
            $githubAppId = App::getEnv('VCS_GITHUB_APP_ID');
            $parsedPayload = $github->parseWebhookEventPayload($event, $payload);
@ -716,4 +725,4 @@ App::get('/v1/vcs/github/installations/:installationId/repositories/:repositoryI
        $detection['runtime'] = $runtime;

        $response->dynamic(new Document($detection), Response::MODEL_DETECTION);
-    });
+    });
--- a/composer.lock
+++ b/composer.lock
@ -2705,7 +2705,7 @@
            "source": {
                "type": "git",
                "url": "https://github.com/utopia-php/vcs.git",
-                "reference": "46f4de30652a057a0c19a6975276a6be8e12606f"
+                "reference": "01afc324865613f7b34ca9981745bfaaec8ec363"
            },
            "require": {
                "adhocore/jwt": "^1.1",
@ -2750,7 +2750,7 @@
                "utopia",
                "vcs"
            ],
-            "time": "2023-06-12T12:48:43+00:00"
+            "time": "2023-06-15T10:13:29+00:00"
        },
        {
            "name": "utopia-php/websocket",
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -180,6 +180,7 @@ services:
      - VCS_GITHUB_APP_NAME
      - VCS_GITHUB_PRIVATE_KEY
      - VCS_GITHUB_APP_ID
+      - VCS_GITHUB_WEBHOOK_SECRET

  appwrite-realtime:
    entrypoint: realtime