From 9349637d6ac23b33075a930044a18cc5cc09d610 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Brunner?= Date: Fri, 5 Jul 2024 11:28:31 +0200 Subject: [PATCH] GitHub signature: Don't fail on dryrun mode on missing signature --- github_app_geo_project/views/webhook.py | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/github_app_geo_project/views/webhook.py b/github_app_geo_project/views/webhook.py index 2d40a028f1c..e160b31c7f1 100644 --- a/github_app_geo_project/views/webhook.py +++ b/github_app_geo_project/views/webhook.py @@ -36,15 +36,18 @@ def webhook(request: pyramid.request.Request) -> dict[str, None]: if not dry_run: raise pyramid.httpexceptions.HTTPBadRequest("No signature in the request") - our_signature = hmac.new( - key=github_secret.encode("utf-8"), - msg=request.body, - digestmod=hashlib.sha256, - ).hexdigest() - if not hmac.compare_digest(our_signature, request.headers["X-Hub-Signature-256"].split("=", 1)[1]): - _LOGGER.error("Invalid signature in the request") - if not dry_run: - raise pyramid.httpexceptions.HTTPBadRequest("Invalid signature in the request") + else: + our_signature = hmac.new( + key=github_secret.encode("utf-8"), + msg=request.body, + digestmod=hashlib.sha256, + ).hexdigest() + if not hmac.compare_digest( + our_signature, request.headers["X-Hub-Signature-256"].split("=", 1)[-1] + ): + _LOGGER.error("Invalid signature in the request") + if not dry_run: + raise pyramid.httpexceptions.HTTPBadRequest("Invalid signature in the request") _LOGGER.debug( "Webhook received for %s on %s", request.headers.get("X-GitHub-Event", "undefined"), application