External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-19 23:07:42 -02:30
Code Issues Packages Projects Releases Wiki Activity

Forbid access to the webhook receiver views if webhook_key is not set

Browse Source
This commit is contained in:
Jeff Bradberry
2019-08-07 14:49:39 -04:00
parent 8f97dbf781
commit 50a54c9214
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
awx/api/views/webhooks.py
View File

@@ -44,6 +44,9 @@ class WebhookReceiverBase(APIView):
raise NotImplementedError raise NotImplementedError
def check_signature(self, obj): def check_signature(self, obj):
if not obj.webhook_key:
raise PermissionDenied
mac = hmac.new(force_bytes(obj.webhook_key), msg=force_bytes(self.request.body), digestmod=sha1) mac = hmac.new(force_bytes(obj.webhook_key), msg=force_bytes(self.request.body), digestmod=sha1)
if not hmac.compare_digest(force_bytes(mac.hexdigest()), self.get_signature()): if not hmac.compare_digest(force_bytes(mac.hexdigest()), self.get_signature()):
raise PermissionDenied raise PermissionDenied
@@ -86,9 +89,12 @@ class GitlabWebhookReceiver(WebhookReceiverBase):
return self.request.META.get('HTTP_X_GITLAB_TOKEN') return self.request.META.get('HTTP_X_GITLAB_TOKEN')
def check_signature(self, obj): def check_signature(self, obj):
# Gitlab only returns the secret token, not an hmac hash if not obj.webhook_key:
raise PermissionDenied
# Use the hmac `compare_digest` helper function to prevent timing analysis by attackers. # Gitlab only returns the secret token, not an hmac hash. Use
# the hmac `compare_digest` helper function to prevent timing
# analysis by attackers.
if not hmac.compare_digest(force_bytes(obj.webhook_key), self.get_signature()): if not hmac.compare_digest(force_bytes(obj.webhook_key), self.get_signature()):
raise PermissionDenied raise PermissionDenied