Otherway/sugar-cube-client
2
0
Fork 0
mirror of https://github.com/sitelease/sugar-cube-client.git synced 2025-10-31 12:02:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

PushEvent - Updated the validateRequest() method

Browse Source 
+ Added ability to skip secret key validation, which is useful for newer version of gitea (as its depreciated now)
This commit is contained in:
Benjamin Blake
2021-11-04 20:52:06 -06:00
parent dbdff87baf
commit ea64578fd9
1 changed files with 17 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/PushEvent.php
View File

@ -59,9 +59,10 @@ class PushEvent extends AbstractApiModel {
* @param array $server The HTTP SERVER array for the push event
* @param string $body The raw data from the request body
* @param string $secretKey The secret key to from your server
* @return void
* @param bool $skipSecretValidation If set to true, secret key validation will be skipped (used for newer versions of Gitea)
* @return bool
*/
public static function validateRequest(array $server, string $body, string $secretKey)
public static function validateRequest(array $server, string $body, string $secretKey, bool $skipSecretValidation = false)
{
// Validate request protocol
if ($server['REQUEST_METHOD'] != 'POST') {
@ -80,18 +81,20 @@ class PushEvent extends AbstractApiModel {
throw new \RuntimeException("FAILED: Empty Body - The request has an empty body");
}
// Validate header signature
$headerSignature = isset($server['HTTP_X_GITEA_SIGNATURE']) ? $server['HTTP_X_GITEA_SIGNATURE'] : '';
if (empty($headerSignature)) {
throw new \RuntimeException("FAILED: Signature Missing - The request is missing the Gitea signature");
}
// calculate payload signature
$payload_signature = hash_hmac('sha256', $rawContent, $secretKey, false);
// check payload signature against header signature
if ($headerSignature != $payload_signature) {
throw new \RuntimeException("FAILED: Access Denied - The push event's secret does not match the expected secret");
if (!$skipSecretValidation) {
// Validate header signature
$headerSignature = isset($server['HTTP_X_GITEA_SIGNATURE']) ? $server['HTTP_X_GITEA_SIGNATURE'] : '';
if (empty($headerSignature)) {
throw new \RuntimeException("FAILED: Signature Missing - The request is missing the Gitea signature");
}
// calculate payload signature
$payload_signature = hash_hmac('sha256', $rawContent, $secretKey, false);
// check payload signature against header signature
if ($headerSignature != $payload_signature) {
throw new \RuntimeException("FAILED: Access Denied - The push event's secret does not match the expected secret");
}
}
return true;