Add webhook secret and support payload validation

Backported from c11aad1.

Fixes #295

Conflicts:
	SourceGithub/SourceGithub.php

Author: dregad

SourceGithub/SourceGithub.php

@@ -95,6 +95,7 @@ public function update_repo_form( $p_repo ) {
 		$t_hub_app_client_id = null;
 		$t_hub_app_secret = null;
 		$t_hub_app_access_token = null;
+		$t_hub_webhook_secret = null;
 
 		if ( isset( $p_repo->info['hub_username'] ) ) {
 			$t_hub_username = $p_repo->info['hub_username'];
@@ -116,6 +117,10 @@ public function update_repo_form( $p_repo ) {
 			$t_hub_app_access_token = $p_repo->info['hub_app_access_token'];
 		}
 
+		if ( isset( $p_repo->info['hub_webhook_secret'] ) ) {
+			$t_hub_webhook_secret = $p_repo->info['hub_webhook_secret'];
+		}
+
 		if ( isset( $p_repo->info['master_branch'] ) ) {
 			$t_master_branch = $p_repo->info['master_branch'];
 		} else {
@@ -176,6 +181,14 @@ public function update_repo_form( $p_repo ) {
 	<span class="label-style"></span>
 </div>
 
+<div class="field-container">
+	<label><span><?php echo plugin_lang_get( 'hub_webhook_secret' ) ?></span></label>
+	<span class="input">
+		<input name="hub_webhook_secret" maxlength="250" size="40" value="<?php echo string_attribute( $t_hub_webhook_secret ) ?>"/>
+	</span>
+	<span class="label-style"></span>
+</div>
+
 <div class="field-container">
 	<label><span><?php echo plugin_lang_get( 'master_branch' ) ?></span></label>
 	<span class="input">
@@ -197,6 +210,7 @@ public function update_repo( $p_repo ) {
 		$f_hub_reponame = gpc_get_string( 'hub_reponame' );
 		$f_hub_app_client_id = gpc_get_string( 'hub_app_client_id' );
 		$f_hub_app_secret = gpc_get_string( 'hub_app_secret' );
+		$f_hub_webhook_secret = gpc_get_string( 'hub_webhook_secret' );
 		$f_master_branch = gpc_get_string( 'master_branch' );
 
 		$this->validate_branch_list( $f_master_branch );
@@ -205,6 +219,7 @@ public function update_repo( $p_repo ) {
 		$p_repo->info['hub_reponame'] = $f_hub_reponame;
 		$p_repo->info['hub_app_client_id'] = $f_hub_app_client_id;
 		$p_repo->info['hub_app_secret'] = $f_hub_app_secret;
+		$p_repo->info['hub_webhook_secret'] = $f_hub_webhook_secret;
 		$p_repo->info['master_branch'] = $f_master_branch;
 
 		return $p_repo;
@@ -279,6 +294,29 @@ public function precommit() {
 			$t_repo->id = $t_row['id'];
 
 			if ( $t_repo->info['hub_reponame'] == $t_reponame ) {
+				# Retrieve the payload's signature from the request headers
+				# Reference https://developer.github.com/webhooks/#delivery-headers
+				$t_signature = null;
+				if( array_key_exists( 'HTTP_X_HUB_SIGNATURE', $_SERVER ) ) {
+					$t_signature = explode( '=', $_SERVER['HTTP_X_HUB_SIGNATURE'] );
+					if( $t_signature[0] != 'sha1' ) {
+						# Invalid hash - as per docs, only sha1 is supported
+						return;
+					}
+					$t_signature = $t_signature[1];
+				}
+
+				# Validate payload against webhook secret: checks OK if
+				# - Webhook secret not defined and no signature received from GitHub, OR
+				# - Payload's SHA1 hash salted with Webhook secret matches signature
+				$t_secret = $t_repo->info['hub_webhook_secret'];
+				$t_valid = ( !$t_secret && !$t_signature )
+					|| $t_signature == hash_hmac('sha1', $f_payload, $t_secret);
+				if( !$t_valid ) {
+					# Invalid signature
+					return;
+				}
+
 				return array( 'repo' => $t_repo, 'data' => $t_data );
 			}
 		}

SourceGithub/lang/strings_english.txt

@@ -13,6 +13,7 @@ $s_plugin_SourceGithub_hub_reponame = 'GitHub Repository Name<br/><span class="s
 $s_plugin_SourceGithub_hub_app_client_id = 'GitHub Application Client ID<br><span class="small">This is required for private repositories and also allows to get around the <a href="https://developer.github.com/v3/#rate-limiting">Rate Limit</a> when importing data.<br>Create a new <a href="https://github.com/settings/applications">GitHub Application</a> if needed.</span>';
 $s_plugin_SourceGithub_hub_app_secret = 'GitHub Application Secret';
 $s_plugin_SourceGithub_hub_app_access_token = 'GitHub Application Access Token';
+$s_plugin_SourceGithub_hub_webhook_secret = 'GitHub Webhook Secret';
 $s_plugin_SourceGithub_master_branch = 'Primary Branches<br/><span class="small">(comma-separated list or "*" for all branches)</span>';
 
 $s_plugin_SourceGithub_hub_app_client_id_secret_missing = '<span class="small">You must first enter the GitHub Application <em>Client ID</em> &amp; <em>Secret</em> and update the repository before you can authorize.</span>';