From 1a695451f3a3261b0d73884b372f579a594b8313 Mon Sep 17 00:00:00 2001
From: Ralf Jung <post@ralfj.de>
Date: Sun, 22 Feb 2015 22:58:37 +0100
Subject: verify the HMAC that GitHub sends

---
 webhook-core.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'webhook-core.py')

diff --git a/webhook-core.py b/webhook-core.py
index d4c1ab7..934d41f 100755
--- a/webhook-core.py
+++ b/webhook-core.py
@@ -24,9 +24,22 @@
 #==============================================================================
 
 # This is the hook called by GitHub as webhook. It updats the local repository, and then all the other mirrors.
-import sys, traceback
+import sys, traceback, json
 from git_mirror import *
 
+def get_github_payload(repo, signature):
+    '''Return the github-style JSON encoded payload (as if we were called as a github webhook)'''
+    data = sys.stdin.buffer.read()
+    verify_signature = repo.compute_hmac(data)
+    if signature != "sha1="+verify_signature:
+        raise Exception("You are not GitHub!")
+    try:
+        data = json.loads(data.decode('utf-8'))
+        return data
+    except ValueError:
+        return {} # nothing read
+
+
 if __name__ == "__main__":
     # call this with: <reponame> <event name> <signature>
     repo = None # we will try to use this during exception handling
@@ -42,7 +55,7 @@ if __name__ == "__main__":
         repo = repos[reponame]
         
         # now sync this repository
-        data = get_github_payload()
+        data = get_github_payload(repo, githubSignature)
         if githubEvent == 'ping':
             # github sends this initially
             print("Content-Type: text/plain")
-- 
cgit v1.2.3