Skip to content
This repository was archived by the owner on Aug 26, 2020. It is now read-only.

Adding signature verification to hubot-github-webhook-listener #5

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Adding signature verification to hubot-github-webhook-listener #5

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3688205
Adding signature verification to hubot-github-webhook-listener
Aug 24, 2016
8c46b06
Removing the secure compare since this code doesn't respond to the re…
Aug 25, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions src/hubot-github-webhook-listener.coffee
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,25 +31,35 @@
# 5. Fire off a github event by interacting with your repo. Comment on an issue or a PR for example.
# 6. Navigate to `http://127.0.0.1:4040/`
# There you can see all webhooks posted to your local machine, and can replay them as many times as you wish.
# 7. If you set up a secret on your github webhook make sure HUBOT_GITHUB_WEBHOOK_TOKEN=yourverylongtoken if the
# token is not set we will not verify the x-hub-signature.
#
# Authors:
# Taytay
# Using code written by: spajus, patcon, and parkr

url = require('url')
querystring = require('querystring')
crypto = require('crypto')

debug = false

module.exports = (robot) ->
HUBOT_GITHUB_WEBHOOK_TOKEN = process.env.HUBOT_GITHUB_WEBHOOK_TOKEN

getSignature = (payload) ->
hmac = crypto.createHmac 'sha1', HUBOT_GITHUB_WEBHOOK_TOKEN
hmac.update new Buffer JSON.stringify(payload)
return 'sha1=' + hmac.digest('hex')

#TODO: Introduce secret so that these are verified:
# See: https://developer.github.com/webhooks/securing/ and
# https://gist.github.com/dcollien/c5d86c968cbc85e88286
module.exports = (robot) ->
robot.router.post "/hubot/github-repo-listener", (req, res) ->
try
if (debug)
robot.logger.info("Github post received: ", req)
if HUBOT_GITHUB_WEBHOOK_TOKEN isnt undefined
signature = getSignature(req.body)
if signature isnt req.headers['x-hub-signature']
throw new Error('Signatures Do Not Match')
eventBody =
eventType : req.headers["x-github-event"]
signature : req.headers["X-Hub-Signature"]
Expand All @@ -58,7 +68,8 @@ module.exports = (robot) ->
query : querystring.parse(url.parse(req.url).query)

robot.emit "github-repo-event", eventBody
catch error
robot.logger.error "Github repo webhook listener error: #{error.stack}. Request: #{req.body}"
catch err
robot.logger.error "Github repo webhook listener error: #{err.message}. Request: #{req.body}"
robot.logger.error err.stack

res.end ""