-
Notifications
You must be signed in to change notification settings - Fork 5
/
hook.php
78 lines (72 loc) · 2.12 KB
/
hook.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<?php
include 'config.php';
// what command to execute upon retrieval of a valid push event
$cmd = 'git pull';
// the shared secret, used to sign the POST data (using HMAC with SHA1)
$secret = GITHUB_SECRET;
//Selected branch to watch
$branch = BRANCH;
// receive POST data for signature calculation, don't change!
$post_data = file_get_contents('php://input');
$signature = hash_hmac('sha1', $post_data, $secret);
// required data in POST body - set your targeted branch and repository here!
$required_data = array(
'ref' => 'refs/heads/' . $branch,
'repository' => array(
'full_name' => 'ShellHacksFIU/ShellHacks-2018-Landing',
),
);
// required data in headers - probably doesn't need changing
$required_headers = array(
'REQUEST_METHOD' => 'POST',
'HTTP_X_GITHUB_EVENT' => 'push',
'HTTP_USER_AGENT' => 'GitHub-Hookshot/*',
'HTTP_X_HUB_SIGNATURE' => 'sha1=' . $signature,
);
// END OF CONFIGURATION
error_reporting(0);
function log_msg($msg) {
if(LOGFILE != '') {
file_put_contents(LOGFILE, $msg . "\n", FILE_APPEND);
}
}
function array_matches($have, $should, $name = 'array') {
$ret = true;
if(is_array($have)) {
foreach($should as $key => $value) {
if(!array_key_exists($key, $have)) {
log_msg("Missing: $key");
$ret = false;
}
else if(is_array($value) && is_array($have[$key])) {
$ret &= array_matches($have[$key], $value);
}
else if(is_array($value) || is_array($have[$key])) {
log_msg("Type mismatch: $key");
$ret = false;
}
else if(!fnmatch($value, $have[$key])) {
log_msg("Failed comparison: $key={$have[$key]} (expected $value)");
$ret = false;
}
}
}
else {
log_msg("Not an array: $name");
$ret = false;
}
return $ret;
}
log_msg("=== Received request from {$_SERVER['REMOTE_ADDR']} ===");
header("Content-Type: text/plain");
$data = json_decode($post_data, true);
// First do all checks and then report back in order to avoid timing attacks
$headers_ok = array_matches($_SERVER, $required_headers, '$_SERVER');
$data_ok = array_matches($data, $required_data, '$data');
if($headers_ok && $data_ok) {
passthru($cmd);
}
else {
http_response_code(403);
die("Forbidden\n");
}