Fix: Verify payload by signature

Author: plibither8

.env.example

@@ -1 +1,2 @@
-GH_TOKEN=
+GH_TOKEN=
+WEBHOOK_SECRET=

scripts/delete-hooks.js

@@ -0,0 +1,21 @@
+const fetch = require('node-fetch')
+const { ghAuthHeaders, getPublicRepos } = require('../utils')
+
+async function main() {
+  const repos = await getPublicRepos()
+  let count = 0
+  for (const repo of repos) {
+    const hooks = await fetch(repo.hookUrl, { headers: ghAuthHeaders })
+      .then(res => res.json())
+    const id = hooks.find(({ config }) => config.url === 'https://git.mihir.ch/webhook/push')?.id
+    if (id) {
+      console.log(`[${++count}/${repos.length}] Deleting hook for ${repo.name}`)
+      await fetch(repo.hookUrl + '/' + id, {
+        method: 'DELETE',
+        headers: ghAuthHeaders
+      })
+    }
+  }
+}
+
+main()

setup.js

@@ -1,79 +1,20 @@
 require('dotenv').config()
 const path = require('path')
-const { writeFile, mkdir } = require('fs/promises')
-const fetch = require('node-fetch')
-const git = require('simple-git')()
+const { mkdir } = require('fs/promises')
 const config = require('./config.json')
-
-const GH_API_BASE = 'https://api.github.com'
-
-const ghAuthHeaders = {
-  Authorization: `token ${process.env.GH_TOKEN}`
-}
+const {
+  getPublicRepos,
+  createMetaList,
+  cloneToPath,
+  updateDescription,
+  createWebhook
+} = require('./utils')
 
 async function createRepositoriesPath() {
   console.log('[INFO]', 'Creating repositories\' directory if it does not exist')
   await mkdir(config.repositoriesPath, { recursive: true })
 }
 
-async function getPublicRepos() {
-  const searchParams = new URLSearchParams()
-  for (const [key, value] of Object.entries(config.githubRepoListParams)) {
-    searchParams.set(key, value)
-  }
-  const response = await fetch(`${GH_API_BASE}/user/repos?${searchParams}`, { headers: ghAuthHeaders })
-  const json = await response.json()
-  return json
-}
-
-function filterAndProcessRepos(repos) {
-  return repos
-    .filter(repo => !repo.fork)
-    .map(({ full_name, description, ssh_url, hooks_url }) => ({
-      name: full_name,
-      description,
-      hookUrl: hooks_url,
-      cloneUrl: ssh_url
-    }))
-}
-
-async function createMetaList(repos) {
-  console.log('[INFO]', 'Creating list of cloned directories')
-  const list = JSON.stringify(repos.map(repo => repo.name))
-  const filePath = path.join(config.repositoriesPath, 'repositories.json')
-  await writeFile(filePath, list, 'utf-8')
-  return repos
-}
-
-async function cloneToPath(repo) {
-  const remotePath = repo.cloneUrl
-  const localPath = path.join(config.repositoriesPath, repo.name)
-  await git.clone(remotePath, localPath)
-  return localPath
-}
-
-async function updateDescription(localPath, description) {
-  const descriptionFilePath = path.join(localPath, '.git', 'description')
-  await writeFile(descriptionFilePath, description || '', 'utf-8')
-}
-
-async function createWebhook(webhookUrl) {
-  const requestBody = {
-    config: {
-      url: config.webhookBase + '/push',
-      content_type: 'json'
-    }
-  }
-  await fetch(webhookUrl, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      ...ghAuthHeaders
-    },
-    body: JSON.stringify(requestBody)
-  })
-}
-
 async function main () {
   // Create repositories path if it doesn't exist
   await createRepositoriesPath()
@@ -84,7 +25,6 @@ async function main () {
 
   console.log('[INFO] Getting repos from GitHub')
   await getPublicRepos()
-    .then(filterAndProcessRepos)
     .then(repos => {
       totalProgressRequired = repos.length * 4
       return repos

utils.js

@@ -0,0 +1,86 @@
+require('dotenv').config()
+const fetch = require('node-fetch')
+const config = require('./config.json')
+const git = require('simple-git')()
+const { writeFile } = require('fs/promises')
+
+const GH_API_BASE = 'https://api.github.com'
+const ghAuthHeaders = {
+  Authorization: `token ${process.env.GH_TOKEN}`
+}
+
+function filterAndProcessRepos(repos) {
+  return repos
+    .filter(repo => !repo.fork)
+    .map(({full_name, description, ssh_url, hooks_url}) => ({
+      name: full_name,
+      description,
+      hookUrl: hooks_url,
+      cloneUrl: ssh_url
+    }))
+}
+
+function getPublicRepoParams() {
+  const searchParams = new URLSearchParams()
+  for (const [key, value] of Object.entries(config.githubRepoListParams)) {
+    searchParams.set(key, value)
+  }
+  return searchParams
+}
+
+async function getPublicRepos() {
+  const searchParams = getPublicRepoParams()
+  const response = await fetch(`${GH_API_BASE}/user/repos?${searchParams}`, { headers: ghAuthHeaders })
+  const json = await response.json()
+  return filterAndProcessRepos(json)
+}
+
+async function createMetaList(repos) {
+  console.log('[INFO]', 'Creating list of cloned directories')
+  const list = JSON.stringify(repos.map(repo => repo.name))
+  const filePath = path.join(config.repositoriesPath, 'repositories.json')
+  await writeFile(filePath, list, 'utf-8')
+  return repos
+}
+
+async function cloneToPath(repo, log = false) {
+  if (log) console.log(`[INFO] Cloning %s`, repo.name)
+  const remotePath = repo.cloneUrl
+  const localPath = path.join(config.repositoriesPath, repo.name)
+  await git.clone(remotePath, localPath)
+  return localPath
+}
+
+async function updateDescription(localPath, description, log = false) {
+  if (log) console.log(`[INFO] Adding description for %s`, repo.name)
+  const descriptionFilePath = path.join(localPath, '.git', 'description')
+  await writeFile(descriptionFilePath, description || '', 'utf-8')
+}
+
+async function createWebhook(webhookUrl, log = false) {
+  if (log) console.log(`[INFO] Creating webhook for %s`, repo.name)
+  const requestBody = {
+    config: {
+      url: config.webhookBase + '/push',
+      content_type: 'json',
+      secret: process.env.WEBHOOK_SECRET
+    }
+  }
+  await fetch(webhookUrl, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      ...ghAuthHeaders
+    },
+    body: JSON.stringify(requestBody)
+  })
+}
+
+module.exports = {
+  ghAuthHeaders,
+  getPublicRepos,
+  createMetaList,
+  cloneToPath,
+  updateDescription,
+  createWebhook
+}

webhook-server.js

@@ -1,9 +1,33 @@
 require('dotenv').config()
+const crypto = require('crypto')
 const polka = require('polka')
 const { json } = require('body-parser')
 const config = require('./config.json')
 const git = require('simple-git')()
 
+function createComparisonSignature (body = '') {
+  const hmac = crypto.createHmac('sha1', process.env.WEBHOOK_SECRET)
+  const signature = hmac.update(JSON.stringify(body)).digest('hex')
+  return `sha1=${signature}`
+}
+
+function compareSignatures (receivedSignature = '', selfSignature) {
+  const source = Buffer.from(receivedSignature)
+  const comparison = Buffer.from(selfSignature)
+  return receivedSignature.length === selfSignature.length &&
+    crypto.timingSafeEqual(source, comparison)
+}
+
+function verifyPayload (req, res, next) {
+  const { headers, body } = req
+  const receivedSignature = headers['x-hub-signature']
+  const selfSignature = createComparisonSignature(body)
+  if (!compareSignatures(receivedSignature, selfSignature)) {
+    return res.writeHead(401).end('Signature mismatch!')
+  }
+  next()
+}
+
 async function pull(repo) {
   const localPath = `${config.repositoriesPath}/${repo}`
   await git.cwd(localPath).pull('origin', 'master')
@@ -23,6 +47,7 @@ const handlers = {
 
 polka()
   .use(json())
+  .use(verifyPayload)
   .post('/webhook/push', handlers.push)
   .post('/webhook/repo', handlers.repo)
   .listen(config.webhookPort)