diff options
| author | Ralf Jung <post@ralfj.de> | 2015-02-22 22:58:37 +0100 |
|---|---|---|
| committer | Ralf Jung <post@ralfj.de> | 2015-02-22 22:58:37 +0100 |
| commit | 1a695451f3a3261b0d73884b372f579a594b8313 (patch) | |
| tree | af3b5cbc369ecbe503802efcf4aa35c207c8a5bd /webhook-core.py | |
| parent | 5e4cc8e8aed90a3f5464cbdd1656e47bf3fc810e (diff) | |
verify the HMAC that GitHub sends
Diffstat (limited to 'webhook-core.py')
| -rwxr-xr-x | webhook-core.py | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/webhook-core.py b/webhook-core.py index d4c1ab7..934d41f 100755 --- a/webhook-core.py +++ b/webhook-core.py @@ -24,9 +24,22 @@ #============================================================================== # This is the hook called by GitHub as webhook. It updats the local repository, and then all the other mirrors. -import sys, traceback +import sys, traceback, json from git_mirror import * +def get_github_payload(repo, signature): + '''Return the github-style JSON encoded payload (as if we were called as a github webhook)''' + data = sys.stdin.buffer.read() + verify_signature = repo.compute_hmac(data) + if signature != "sha1="+verify_signature: + raise Exception("You are not GitHub!") + try: + data = json.loads(data.decode('utf-8')) + return data + except ValueError: + return {} # nothing read + + if __name__ == "__main__": # call this with: <reponame> <event name> <signature> repo = None # we will try to use this during exception handling @@ -42,7 +55,7 @@ if __name__ == "__main__": repo = repos[reponame] # now sync this repository - data = get_github_payload() + data = get_github_payload(repo, githubSignature) if githubEvent == 'ping': # github sends this initially print("Content-Type: text/plain") |