1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-30 13:55:31 +03:00

Forbid access to the webhook receiver views if webhook_key is not set

This commit is contained in:
Jeff Bradberry 2019-08-07 14:49:39 -04:00
parent 8f97dbf781
commit 50a54c9214

View File

@ -44,6 +44,9 @@ class WebhookReceiverBase(APIView):
raise NotImplementedError
def check_signature(self, obj):
if not obj.webhook_key:
raise PermissionDenied
mac = hmac.new(force_bytes(obj.webhook_key), msg=force_bytes(self.request.body), digestmod=sha1)
if not hmac.compare_digest(force_bytes(mac.hexdigest()), self.get_signature()):
raise PermissionDenied
@ -86,9 +89,12 @@ class GitlabWebhookReceiver(WebhookReceiverBase):
return self.request.META.get('HTTP_X_GITLAB_TOKEN')
def check_signature(self, obj):
# Gitlab only returns the secret token, not an hmac hash
if not obj.webhook_key:
raise PermissionDenied
# Use the hmac `compare_digest` helper function to prevent timing analysis by attackers.
# Gitlab only returns the secret token, not an hmac hash. Use
# the hmac `compare_digest` helper function to prevent timing
# analysis by attackers.
if not hmac.compare_digest(force_bytes(obj.webhook_key), self.get_signature()):
raise PermissionDenied