mirror of
https://github.com/ansible/awx.git
synced 2024-10-30 13:55:31 +03:00
Forbid access to the webhook receiver views if webhook_key is not set
This commit is contained in:
parent
8f97dbf781
commit
50a54c9214
@ -44,6 +44,9 @@ class WebhookReceiverBase(APIView):
|
||||
raise NotImplementedError
|
||||
|
||||
def check_signature(self, obj):
|
||||
if not obj.webhook_key:
|
||||
raise PermissionDenied
|
||||
|
||||
mac = hmac.new(force_bytes(obj.webhook_key), msg=force_bytes(self.request.body), digestmod=sha1)
|
||||
if not hmac.compare_digest(force_bytes(mac.hexdigest()), self.get_signature()):
|
||||
raise PermissionDenied
|
||||
@ -86,9 +89,12 @@ class GitlabWebhookReceiver(WebhookReceiverBase):
|
||||
return self.request.META.get('HTTP_X_GITLAB_TOKEN')
|
||||
|
||||
def check_signature(self, obj):
|
||||
# Gitlab only returns the secret token, not an hmac hash
|
||||
if not obj.webhook_key:
|
||||
raise PermissionDenied
|
||||
|
||||
# Use the hmac `compare_digest` helper function to prevent timing analysis by attackers.
|
||||
# Gitlab only returns the secret token, not an hmac hash. Use
|
||||
# the hmac `compare_digest` helper function to prevent timing
|
||||
# analysis by attackers.
|
||||
if not hmac.compare_digest(force_bytes(obj.webhook_key), self.get_signature()):
|
||||
raise PermissionDenied
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user