From e47c0752dbb563092999640e854d8c11719c10d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= Date: Mon, 20 Feb 2023 12:43:06 +0100 Subject: [PATCH 1/3] backend/git_service: check repo URLs from webhook MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since we are cloning a private repo we are using `ssh_url` in our case. Signed-off-by: Jakub Sokołowski --- .../spiffworkflow_backend/services/git_service.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py index cf308ef6c..16c064d18 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py @@ -197,14 +197,13 @@ class GitService: f" body: {webhook}" ) - clone_url = webhook["repository"]["clone_url"] - if ( - clone_url - != current_app.config["SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"] - ): + config_clone_url = current_app.config["SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"] + repo = webhook["repository"] + valid_clone_urls = [repo["clone_url"], repo["git_url"], repo["ssh_url"]] + if config_clone_url not in valid_clone_urls: raise GitCloneUrlMismatchError( - "Configured clone url does not match clone url from webhook:" - f" {clone_url}" + "Configured clone url does not match the repo URLs from webhook: %s =/= %s" + % (config_clone_url, valid_clone_urls) ) if "ref" not in webhook: From fb024a49f7d4118f233bedadde75942aecdac0bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= Date: Mon, 20 Feb 2023 13:10:58 +0100 Subject: [PATCH 2/3] backend/git_service: accept webhook test requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://docs.github.com/en/webhooks-and-events/webhooks/testing-webhooks Signed-off-by: Jakub Sokołowski --- .../src/spiffworkflow_backend/services/git_service.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py index 16c064d18..e73dd0612 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py @@ -206,6 +206,10 @@ class GitService: % (config_clone_url, valid_clone_urls) ) + # Test webhook requests have a zen koan and hook info. + if "zen" in webhook or "hook_id" in webhook: + return False + if "ref" not in webhook: raise InvalidGitWebhookBodyError( f"Could not find the 'ref' arg in the webhook boy: {webhook}" From a600736e67a823c6aba85be93d714b4252698d56 Mon Sep 17 00:00:00 2001 From: burnettk Date: Mon, 20 Feb 2023 10:58:04 -0500 Subject: [PATCH 3/3] delint --- .../src/spiffworkflow_backend/services/git_service.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py index e73dd0612..f8ea457d3 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py @@ -197,13 +197,15 @@ class GitService: f" body: {webhook}" ) - config_clone_url = current_app.config["SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"] + config_clone_url = current_app.config[ + "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL" + ] repo = webhook["repository"] valid_clone_urls = [repo["clone_url"], repo["git_url"], repo["ssh_url"]] if config_clone_url not in valid_clone_urls: raise GitCloneUrlMismatchError( - "Configured clone url does not match the repo URLs from webhook: %s =/= %s" - % (config_clone_url, valid_clone_urls) + "Configured clone url does not match the repo URLs from webhook: %s" + " =/= %s" % (config_clone_url, valid_clone_urls) ) # Test webhook requests have a zen koan and hook info.