Now the service checks the request and its source. If the source of the request is not GitHub or the request does not contain the correct value in the headers by the key X-Hub-Signature-256, then the route of the webhook (POST /) will respond 403 Forbidden.
The validate is performed in accordance with this guide from Github.
What's new in the administration
Previously, the service used a Github token from an GITHUB_TOKEN environment variable.
Now the service requires an additional secret token from the environment variables using the GITHUB_SIGN_KEY key. See this guide.
If GITHUB_TOKEN not set, will be raised an exception:
File "/home/pc/workspace/vk/docbot/docbot/settings.py", line 5, in <module>
assert token is not None
AssertionError
if GITHUB_SIGN_KEY not set, will be raised an exception:
File "/home/pc/workspace/vk/docbot/docbot/settings.py", line 6, in <module>
assert github_signature is not None
AssertionError
Description
Now the service checks the request and its source. If the source of the request is not
GitHubor the request does not contain the correct value in the headers by the keyX-Hub-Signature-256, then the route of the webhook (POST /) will respond403 Forbidden.The validate is performed in accordance with this guide from Github.
What's new in the administration
Previously, the service used a Github token from an
GITHUB_TOKENenvironment variable. Now the service requires an additional secret token from the environment variables using theGITHUB_SIGN_KEYkey. See this guide.If
GITHUB_TOKENnot set, will be raised an exception:if
GITHUB_SIGN_KEYnot set, will be raised an exception:Examples
cURL request with correct signature: expected 200;
```bash curl --location --request POST 'http://0.0.0.0:8000/' \ --header 'X-Github-Event: issue_comment' \ --header 'X-GitHub-Delivery: example_delivery' \ --header 'X-Hub-Signature-256: some_correct_value' \ --header 'Content-Type: application/json' \ --data-raw '{ "issue": { "state": "open", "url": "http://0.0.0.0:8000", <-- change it "html_url": "http://0.0.0.0:8000" <-- change it }, "repository": {"test" :"bugbounty", "full_name": "test"}, "action": "created", "comment": { "body": "@TarantoolBotdocument\r\nTitle:fdsf", "user": { "login" : "test"} } }' ```cURL request without signature: expected 403;
```bash curl --location --request POST 'http://0.0.0.0:8000/' \ --header 'X-Github-Event: issue_comment' \ --header 'X-GitHub-Delivery: example_delivery' \ --header 'Content-Type: application/json' \ --data-raw '{ "issue": { "state": "open", "url": "http://0.0.0.0:8000", <-- change it "html_url": "http://0.0.0.0:8000" <-- change it }, "repository": {"test" :"bugbounty", "full_name": "test"}, "action": "created", "comment": { "body": "@TarantoolBotdocument\r\nTitle:fdsf", "user": { "login" : "test"} } }' ```cURL request with bad signature: expected 403;
```bash curl --location --request POST 'http://0.0.0.0:8000/' \ --header 'X-Github-Event: issue_comment' \ --header 'X-GitHub-Delivery: example_delivery' \ --header 'X-Hub-Signature-256: haha' \ --header 'Content-Type: application/json' \ --data-raw '{ "issue": { "state": "open", "url": "http://0.0.0.0:8000", <-- change it "html_url": "http://0.0.0.0:8000" <-- change it }, "repository": {"test" :"bugbounty", "full_name": "test"}, "action": "created", "comment": { "body": "@TarantoolBotdocument\r\nTitle:fdsf", "user": { "login" : "test"} } }' ```Closes tarantool/security#124