Fixes Issue #1

scanterog · Jun 1, 2017 · 3cf4ddb · 3cf4ddb
1 parent 631a604
commit 3cf4ddb
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 22 deletions.
diff --git a/app.py b/app.py
@@ -1,8 +1,8 @@
-from flask import Flask,request
+from flask import Flask,request,abort
 from celery import Celery
 import os
 from IPython import embed
-
+import utils
 
 app = Flask(__name__)
 app.config['CELERY_BROKER_URL'] = 'redis://localhost:6379/0'
@@ -21,9 +21,15 @@ def main():
 @app.route('/webhook',methods=['POST'])
 def handle_payload():
     content = request.get_json(silent=True)
-    signature = request.headers['X-Hub-Signature']
+    #embed()
+    header_signature = request.headers['X-Hub-Signature']
+    embed()
+    if header_signature is None:
+        abort(403)
+    if not utils.verify_signature(header_signature,request.data,GITHUB_HOOK_SECRET):
+        abort(403)
 
-    return "Valid request"
+    return "Authenticated request :D"
 
 if __name__ == "__main__":
     app.run(host='0.0.0.0')
diff --git a/requirements.txt b/requirements.txt
@@ -1,33 +1,16 @@
 amqp==2.1.4
 appdirs==1.4.3
-backports.shutil-get-terminal-size==1.0.0
 billiard==3.5.0.2
-blinker==1.4
 celery==4.0.2
 click==6.7
-decorator==4.0.11
-enum34==1.1.6
 Flask==0.12.2
-Flask-DebugToolbar==0.10.1
-ipython==5.4.1
-ipython-genutils==0.2.0
 itsdangerous==0.24
 Jinja2==2.9.6
 kombu==4.0.2
 MarkupSafe==1.0
 packaging==16.8
-pathlib2==2.2.1
-pexpect==4.2.1
-pickleshare==0.7.4
-prompt-toolkit==1.0.14
-ptyprocess==0.5.1
-Pygments==2.2.0
 pyparsing==2.2.0
 pytz==2017.2
-scandir==1.5
-simplegeneric==0.8.1
 six==1.10.0
-traitlets==4.3.2
 vine==1.1.3
-wcwidth==0.1.7
 Werkzeug==0.12.2
diff --git a/utils.py b/utils.py
@@ -1 +1,13 @@
-def verify_signature(signature):
+import hmac
+from hashlib import sha1
+
+# Thanks to https://github.com/carlos-jenkins/python-github-webhooks/blob/master/webhooks.py
+# https://developer.github.com/webhooks/securing/
+def verify_signature(header_signature,raw_data,secret):
+    sha_name, signature = header_signature.split('=')
+    if sha_name != 'sha1':
+       return false
+    # HMAC requires the key to be bytes, pass raw request data
+    mac = hmac.new(secret,raw_data,sha1)
+    # Use compare_digest to avoid timing attacks
+    return hmac.compare_digest(str(mac.hexdigest()), str(signature))