From 97f1779af915910f3f2826817d8a5e944421d886 Mon Sep 17 00:00:00 2001 From: Raphael Borg Ellul Vincenti Date: Sat, 12 Oct 2019 01:51:25 +0200 Subject: [PATCH 1/7] Add support for X-Hub-Signature headers in webhooks --- models/webhook.go | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/models/webhook.go b/models/webhook.go index f657c187928c6..1541eda451607 100644 --- a/models/webhook.go +++ b/models/webhook.go @@ -7,6 +7,7 @@ package models import ( "crypto/hmac" + "crypto/sha1" "crypto/sha256" "crypto/tls" "encoding/hex" @@ -110,7 +111,8 @@ type Webhook struct { RepoID int64 `xorm:"INDEX"` OrgID int64 `xorm:"INDEX"` URL string `xorm:"url TEXT"` - Signature string `xorm:"TEXT"` + SignatureSha1 string `xorm:"TEXT"` + SignatureSha256 string `xorm:"TEXT"` HTTPMethod string `xorm:"http_method"` ContentType HookContentType Secret string `xorm:"TEXT"` @@ -572,7 +574,8 @@ type HookTask struct { UUID string Type HookTaskType URL string `xorm:"TEXT"` - Signature string `xorm:"TEXT"` + SignatureSha1 string `xorm:"TEXT"` + SignatureSha256 string `xorm:"TEXT"` api.Payloader `xorm:"-"` PayloadContent string `xorm:"TEXT"` HTTPMethod string `xorm:"http_method"` @@ -740,7 +743,21 @@ func prepareWebhook(e Engine, w *Webhook, repo *Repository, event HookEventType, payloader = p } - var signature string + var signatureSha1 string + if len(w.Secret) > 0 { + data, err := payloader.JSONPayload() + if err != nil { + log.Error("prepareWebhooks.JSONPayload: %v", err) + } + sig := hmac.New(sha1.New, []byte(w.Secret)) + _, err = sig.Write(data) + if err != nil { + log.Error("prepareWebhooks.sigWrite: %v", err) + } + signatureSha1 = hex.EncodeToString(sig.Sum(nil)) + } + + var signatureSha256 string if len(w.Secret) > 0 { data, err := payloader.JSONPayload() if err != nil { @@ -751,7 +768,7 @@ func prepareWebhook(e Engine, w *Webhook, repo *Repository, event HookEventType, if err != nil { log.Error("prepareWebhooks.sigWrite: %v", err) } - signature = hex.EncodeToString(sig.Sum(nil)) + signatureSha256 = hex.EncodeToString(sig.Sum(nil)) } if err = createHookTask(e, &HookTask{ @@ -759,7 +776,8 @@ func prepareWebhook(e Engine, w *Webhook, repo *Repository, event HookEventType, HookID: w.ID, Type: w.HookTaskType, URL: w.URL, - Signature: signature, + SignatureSha1: signatureSha1, + SignatureSha256: signatureSha256, Payloader: payloader, HTTPMethod: w.HTTPMethod, ContentType: w.ContentType, @@ -852,10 +870,11 @@ func (t *HookTask) deliver() error { req.Header.Add("X-Gitea-Delivery", t.UUID) req.Header.Add("X-Gitea-Event", string(t.EventType)) - req.Header.Add("X-Gitea-Signature", t.Signature) + req.Header.Add("X-Gitea-Signature", t.SignatureSha256) req.Header.Add("X-Gogs-Delivery", t.UUID) req.Header.Add("X-Gogs-Event", string(t.EventType)) - req.Header.Add("X-Gogs-Signature", t.Signature) + req.Header.Add("X-Gogs-Signature", t.SignatureSha256) + req.Header.Add("X-Hub-Signature", fmt.Sprintf("sha1=%v", t.SignatureSha1)) req.Header["X-GitHub-Delivery"] = []string{t.UUID} req.Header["X-GitHub-Event"] = []string{string(t.EventType)} From 3ebf01f001b214eb803bc3414ca77386faaf48ad Mon Sep 17 00:00:00 2001 From: Raphael Borg Ellul Vincenti Date: Sat, 12 Oct 2019 02:04:12 +0200 Subject: [PATCH 2/7] Formatting fixes --- models/webhook.go | 56 +++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/models/webhook.go b/models/webhook.go index 1541eda451607..77bd8c22b6c54 100644 --- a/models/webhook.go +++ b/models/webhook.go @@ -107,22 +107,22 @@ const ( // Webhook represents a web hook object. type Webhook struct { - ID int64 `xorm:"pk autoincr"` - RepoID int64 `xorm:"INDEX"` - OrgID int64 `xorm:"INDEX"` - URL string `xorm:"url TEXT"` - SignatureSha1 string `xorm:"TEXT"` - SignatureSha256 string `xorm:"TEXT"` - HTTPMethod string `xorm:"http_method"` - ContentType HookContentType - Secret string `xorm:"TEXT"` - Events string `xorm:"TEXT"` - *HookEvent `xorm:"-"` - IsSSL bool `xorm:"is_ssl"` - IsActive bool `xorm:"INDEX"` - HookTaskType HookTaskType - Meta string `xorm:"TEXT"` // store hook-specific attributes - LastStatus HookStatus // Last delivery status + ID int64 `xorm:"pk autoincr"` + RepoID int64 `xorm:"INDEX"` + OrgID int64 `xorm:"INDEX"` + URL string `xorm:"url TEXT"` + SignatureSha1 string `xorm:"TEXT"` + SignatureSha256 string `xorm:"TEXT"` + HTTPMethod string `xorm:"http_method"` + ContentType HookContentType + Secret string `xorm:"TEXT"` + Events string `xorm:"TEXT"` + *HookEvent `xorm:"-"` + IsSSL bool `xorm:"is_ssl"` + IsActive bool `xorm:"INDEX"` + HookTaskType HookTaskType + Meta string `xorm:"TEXT"` // store hook-specific attributes + LastStatus HookStatus // Last delivery status CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"` UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"` @@ -574,8 +574,8 @@ type HookTask struct { UUID string Type HookTaskType URL string `xorm:"TEXT"` - SignatureSha1 string `xorm:"TEXT"` - SignatureSha256 string `xorm:"TEXT"` + SignatureSha1 string `xorm:"TEXT"` + SignatureSha256 string `xorm:"TEXT"` api.Payloader `xorm:"-"` PayloadContent string `xorm:"TEXT"` HTTPMethod string `xorm:"http_method"` @@ -772,17 +772,17 @@ func prepareWebhook(e Engine, w *Webhook, repo *Repository, event HookEventType, } if err = createHookTask(e, &HookTask{ - RepoID: repo.ID, - HookID: w.ID, - Type: w.HookTaskType, - URL: w.URL, + RepoID: repo.ID, + HookID: w.ID, + Type: w.HookTaskType, + URL: w.URL, SignatureSha1: signatureSha1, - SignatureSha256: signatureSha256, - Payloader: payloader, - HTTPMethod: w.HTTPMethod, - ContentType: w.ContentType, - EventType: event, - IsSSL: w.IsSSL, + SignatureSha256: signatureSha256, + Payloader: payloader, + HTTPMethod: w.HTTPMethod, + ContentType: w.ContentType, + EventType: event, + IsSSL: w.IsSSL, }); err != nil { return fmt.Errorf("CreateHookTask: %v", err) } From ee4bc108ae440367e40f4c45355680b1ba448c89 Mon Sep 17 00:00:00 2001 From: Raphael Borg Ellul Vincenti Date: Sat, 12 Oct 2019 02:45:30 +0200 Subject: [PATCH 3/7] Added DB migration scripts --- models/migrations/v99.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 models/migrations/v99.go diff --git a/models/migrations/v99.go b/models/migrations/v99.go new file mode 100644 index 0000000000000..82bea06d1e2b0 --- /dev/null +++ b/models/migrations/v99.go @@ -0,0 +1,30 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "fmt" + + "github.com/go-xorm/xorm" +) + +func specifyWebhookSignatureType(x *xorm.Engine) error { + var err error + + switch x.Dialect().DriverName() { + case "mysql": + _, err = x.Exec("ALTER TABLE `webhook` CHANGE COLUMN `signature` TO `signature_sha1`") + case "postgres": + _, err = x.Exec("ALTER TABLE `webhook` RENAME COLUMN `signature` TO `signature_sha1`") + case "mssql": + _, err = x.Exec("sp_rename 'webhook.signature', 'signature_sha1', 'COLUMN'") + } + + if err != nil { + return fmt.Errorf("Error renaming webhook signature column to signature_sha1: %v", err) + } + + return nil +} From 4309549f5af1018f64d802e4c6e5aaa13e3d4add Mon Sep 17 00:00:00 2001 From: Raphael Borg Ellul Vincenti Date: Sat, 12 Oct 2019 02:49:37 +0200 Subject: [PATCH 4/7] Add v99.go to migrations.go --- models/migrations/migrations.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index 1f5b918de854e..ffcccb014fd88 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -252,6 +252,8 @@ var migrations = []Migration{ NewMigration("add repo_admin_change_team_access to user", addRepoAdminChangeTeamAccessColumnForUser), // v98 -> v99 NewMigration("add original author name and id on migrated release", addOriginalAuthorOnMigratedReleases), + // v99 -> v100 + NewMigration("rename signature column to support sha1 and sha256 webhook signatures", specifyWebhookSignatureType), } // Migrate database to current version From f8bb7f447368508c44709768cb1beb15b3115b8e Mon Sep 17 00:00:00 2001 From: Raphael Borg Ellul Vincenti Date: Sat, 12 Oct 2019 03:21:56 +0200 Subject: [PATCH 5/7] Fix quotation for DB scripts --- models/migrations/v99.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/models/migrations/v99.go b/models/migrations/v99.go index 82bea06d1e2b0..06b513c5ded20 100644 --- a/models/migrations/v99.go +++ b/models/migrations/v99.go @@ -15,11 +15,11 @@ func specifyWebhookSignatureType(x *xorm.Engine) error { switch x.Dialect().DriverName() { case "mysql": - _, err = x.Exec("ALTER TABLE `webhook` CHANGE COLUMN `signature` TO `signature_sha1`") + _, err = x.Exec("ALTER TABLE webhook CHANGE COLUMN signature signature_sha1 text") case "postgres": - _, err = x.Exec("ALTER TABLE `webhook` RENAME COLUMN `signature` TO `signature_sha1`") + _, err = x.Exec("ALTER TABLE webhook RENAME COLUMN signature TO signature_sha1") case "mssql": - _, err = x.Exec("sp_rename 'webhook.signature', 'signature_sha1', 'COLUMN'") + _, err = x.Exec("sp_rename @objname = 'webhook.signature', @newname = 'signature_sha1', @objtype = 'COLUMN'") } if err != nil { From d0dc83bfb0f4feae253960da269a3e82dbb74457 Mon Sep 17 00:00:00 2001 From: Raphael Borg Ellul Vincenti Date: Sat, 12 Oct 2019 12:55:56 +0200 Subject: [PATCH 6/7] Update models/webhook.go Co-Authored-By: Lauris BH --- models/webhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/webhook.go b/models/webhook.go index 77bd8c22b6c54..f0e12e8e536a7 100644 --- a/models/webhook.go +++ b/models/webhook.go @@ -574,7 +574,7 @@ type HookTask struct { UUID string Type HookTaskType URL string `xorm:"TEXT"` - SignatureSha1 string `xorm:"TEXT"` + Signature string `xorm:"TEXT"` SignatureSha256 string `xorm:"TEXT"` api.Payloader `xorm:"-"` PayloadContent string `xorm:"TEXT"` From 5034858b8aa1aafcfa1445881a371c4bd5673779 Mon Sep 17 00:00:00 2001 From: Raphael Borg Ellul Vincenti Date: Sat, 12 Oct 2019 12:56:19 +0200 Subject: [PATCH 7/7] Update models/webhook.go Co-Authored-By: Lauris BH --- models/webhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/webhook.go b/models/webhook.go index f0e12e8e536a7..df35534a0991a 100644 --- a/models/webhook.go +++ b/models/webhook.go @@ -575,7 +575,7 @@ type HookTask struct { Type HookTaskType URL string `xorm:"TEXT"` Signature string `xorm:"TEXT"` - SignatureSha256 string `xorm:"TEXT"` + SignatureSha1 string `xorm:"TEXT"` api.Payloader `xorm:"-"` PayloadContent string `xorm:"TEXT"` HTTPMethod string `xorm:"http_method"`