Otherway/sugar-cube-client
2
0
Fork 0
mirror of https://github.com/sitelease/sugar-cube-client.git synced 2025-10-29 19:12:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

PushEvent - Updated the validateRequest() method

Browse Source 
+ Added ability to skip secret key validation, which is useful for newer version of gitea (as its depreciated now)
This commit is contained in:
Benjamin Blake
2021-11-04 20:52:06 -06:00
parent dbdff87baf
commit ea64578fd9
1 changed files with 17 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/PushEvent.php
View File

@ -59,9 +59,10 @@ class PushEvent extends AbstractApiModel {
* @param array $server The HTTP SERVER array for the push event * @param array $server The HTTP SERVER array for the push event
* @param string $body The raw data from the request body * @param string $body The raw data from the request body
* @param string $secretKey The secret key to from your server * @param string $secretKey The secret key to from your server
* @return void * @param bool $skipSecretValidation If set to true, secret key validation will be skipped (used for newer versions of Gitea)
* @return bool
*/ */
public static function validateRequest(array $server, string $body, string $secretKey) public static function validateRequest(array $server, string $body, string $secretKey, bool $skipSecretValidation = false)
{ {
// Validate request protocol // Validate request protocol
if ($server['REQUEST_METHOD'] != 'POST') { if ($server['REQUEST_METHOD'] != 'POST') {
@ -80,18 +81,20 @@ class PushEvent extends AbstractApiModel {
throw new \RuntimeException("FAILED: Empty Body - The request has an empty body"); throw new \RuntimeException("FAILED: Empty Body - The request has an empty body");
} }
// Validate header signature if (!$skipSecretValidation) {
$headerSignature = isset($server['HTTP_X_GITEA_SIGNATURE']) ? $server['HTTP_X_GITEA_SIGNATURE'] : ''; // Validate header signature
if (empty($headerSignature)) { $headerSignature = isset($server['HTTP_X_GITEA_SIGNATURE']) ? $server['HTTP_X_GITEA_SIGNATURE'] : '';
throw new \RuntimeException("FAILED: Signature Missing - The request is missing the Gitea signature"); if (empty($headerSignature)) {
} throw new \RuntimeException("FAILED: Signature Missing - The request is missing the Gitea signature");
}
// calculate payload signature
$payload_signature = hash_hmac('sha256', $rawContent, $secretKey, false); // calculate payload signature
$payload_signature = hash_hmac('sha256', $rawContent, $secretKey, false);
// check payload signature against header signature
if ($headerSignature != $payload_signature) { // check payload signature against header signature
throw new \RuntimeException("FAILED: Access Denied - The push event's secret does not match the expected secret"); if ($headerSignature != $payload_signature) {
throw new \RuntimeException("FAILED: Access Denied - The push event's secret does not match the expected secret");
}
} }
return true; return true;