Merge pull request #141 from sartography/fix/git-service-webhook

backend/git_service: check repo URLs from webhook
This commit is contained in:
Kevin Burnett 2023-02-20 08:02:53 -08:00 committed by GitHub
commit 762ed05f00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 7 deletions

View File

@ -197,16 +197,21 @@ class GitService:
f" body: {webhook}" f" body: {webhook}"
) )
clone_url = webhook["repository"]["clone_url"] config_clone_url = current_app.config[
if ( "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"
clone_url ]
!= current_app.config["SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"] repo = webhook["repository"]
): valid_clone_urls = [repo["clone_url"], repo["git_url"], repo["ssh_url"]]
if config_clone_url not in valid_clone_urls:
raise GitCloneUrlMismatchError( raise GitCloneUrlMismatchError(
"Configured clone url does not match clone url from webhook:" "Configured clone url does not match the repo URLs from webhook: %s"
f" {clone_url}" " =/= %s" % (config_clone_url, valid_clone_urls)
) )
# Test webhook requests have a zen koan and hook info.
if "zen" in webhook or "hook_id" in webhook:
return False
if "ref" not in webhook: if "ref" not in webhook:
raise InvalidGitWebhookBodyError( raise InvalidGitWebhookBodyError(
f"Could not find the 'ref' arg in the webhook boy: {webhook}" f"Could not find the 'ref' arg in the webhook boy: {webhook}"