From ce480c3f5061b101e3f8202b91a1b1ef38a41f00 Mon Sep 17 00:00:00 2001 From: Johannes Huther Date: Sat, 22 May 2021 15:40:16 +0200 Subject: [PATCH 1/2] Remove redundant curl section This commit does not change the behaviour of this file. Instead it stores the options in a variable to remove one of the two curl blocks that have been identical for the most part. `&> /dev/null` is not needed if `-v` is omitted and `-s` is used. --- entrypoint.sh | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index bac7d1e..4810547 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -71,23 +71,19 @@ if [ -n "$webhook_auth" ]; then WEBHOOK_ENDPOINT="-u $webhook_auth $webhook_url" fi +options="--http1.1 --fail -k" if [ "$silent" ]; then - curl -k -v --http1.1 --fail -s \ - -H "Content-Type: $CONTENT_TYPE" \ - -H "User-Agent: User-Agent: GitHub-Hookshot/760256b" \ - -H "X-Hub-Signature: sha1=$WEBHOOK_SIGNATURE" \ - -H "X-Hub-Signature-256: sha256=$WEBHOOK_SIGNATURE_256" \ - -H "X-GitHub-Delivery: $GITHUB_RUN_NUMBER" \ - -H "X-GitHub-Event: $GITHUB_EVENT_NAME" \ - --data "$WEBHOOK_DATA" $WEBHOOK_ENDPOINT &> /dev/null + options="$options -s" else - curl -k -v --http1.1 --fail \ - -H "Content-Type: $CONTENT_TYPE" \ - -H "User-Agent: User-Agent: GitHub-Hookshot/760256b" \ - -H "X-Hub-Signature: sha1=$WEBHOOK_SIGNATURE" \ - -H "X-Hub-Signature-256: sha256=$WEBHOOK_SIGNATURE_256" \ - -H "X-GitHub-Delivery: $GITHUB_RUN_NUMBER" \ - -H "X-GitHub-Event: $GITHUB_EVENT_NAME" \ - --data "$WEBHOOK_DATA" $WEBHOOK_ENDPOINT -fi \ No newline at end of file + options="$options -v" +fi + +curl $options \ + -H "Content-Type: $CONTENT_TYPE" \ + -H "User-Agent: User-Agent: GitHub-Hookshot/760256b" \ + -H "X-Hub-Signature: sha1=$WEBHOOK_SIGNATURE" \ + -H "X-Hub-Signature-256: sha256=$WEBHOOK_SIGNATURE_256" \ + -H "X-GitHub-Delivery: $GITHUB_RUN_NUMBER" \ + -H "X-GitHub-Event: $GITHUB_EVENT_NAME" \ + --data "$WEBHOOK_DATA" $WEBHOOK_ENDPOINT From 39574350f48af151333807f93d698eec30d78cee Mon Sep 17 00:00:00 2001 From: Johannes Huther Date: Sat, 22 May 2021 20:02:45 +0200 Subject: [PATCH 2/2] Add random request ID (closes #22) Adds a random unique ID to the request. As the POST data is never logged, this should prevent replay attacks even if logging is set to verbose. --- README.md | 8 ++++++-- entrypoint.sh | 11 ++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ca2584c..21f73de 100644 --- a/README.md +++ b/README.md @@ -62,9 +62,12 @@ Will deliver a payload with the following properties: "commit": "a636b6f0861bbee98039bf3df66ee13d8fbc9c74", "ref": "refs/heads/master", "head": "", - "workflow": "Build and deploy" + "workflow": "Build and deploy", + "requestID": "74b1912d19cfe780f1fada4b525777fd" } ``` +`requestID` contains a randomly generated identifier for each request. +
Add additional data to the payload: @@ -92,7 +95,8 @@ and now look like: "data": { "weapon": "hammer", "drink": "beer" - } + }, + "requestID": "74b1912d19cfe780f1fada4b525777fd" } ``` diff --git a/entrypoint.sh b/entrypoint.sh index 4810547..486ff1d 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -29,6 +29,8 @@ if [ -z "$webhook_secret" ]; then exit 1 fi +REQUEST_ID=$(cat /dev/urandom | tr -dc '0-9a-f' | fold -w 32 | head -n 1) + if [ -n "$webhook_type" ] && [ "$webhook_type" == "form-urlencoded" ]; then EVENT=`urlencode "$GITHUB_EVENT_NAME"` @@ -39,7 +41,7 @@ if [ -n "$webhook_type" ] && [ "$webhook_type" == "form-urlencoded" ]; then WORKFLOW=`urlencode "$GITHUB_WORKFLOW"` CONTENT_TYPE="application/x-www-form-urlencoded" - WEBHOOK_DATA="event=$EVENT&repository=$REPOSITORY&commit=$COMMIT&ref=$REF&head=$HEAD&workflow=$WORKFLOW" + WEBHOOK_DATA="event=$EVENT&repository=$REPOSITORY&commit=$COMMIT&ref=$REF&head=$HEAD&workflow=$WORKFLOW&requestID=$REQUEST_ID" if [ -n "$data" ]; then WEBHOOK_DATA="${WEBHOOK_DATA}&${data}" @@ -55,10 +57,13 @@ else else WEBHOOK_DATA="{\"event\":\"$GITHUB_EVENT_NAME\",\"repository\":\"$GITHUB_REPOSITORY\",\"commit\":\"$GITHUB_SHA\",\"ref\":\"$GITHUB_REF\",\"head\":\"$GITHUB_HEAD_REF\",\"workflow\":\"$GITHUB_WORKFLOW\"}" fi + + JSON_WITH_OPEN_CLOSE_BRACKETS_STRIPPED=`echo "$WEBHOOK_DATA" | sed 's/^{\(.*\)}$/\1/'` if [ -n "$data" ]; then CUSTOM_JSON_DATA=$(echo -n "$data" | jq -c '') - JSON_WITH_OPEN_CLOSE_BRACKETS_STRIPPED=`echo "$WEBHOOK_DATA" | sed 's/^{\(.*\)}$/\1/'` - WEBHOOK_DATA="{$JSON_WITH_OPEN_CLOSE_BRACKETS_STRIPPED,\"data\":$CUSTOM_JSON_DATA}" + WEBHOOK_DATA="{$JSON_WITH_OPEN_CLOSE_BRACKETS_STRIPPED,\"data\":$CUSTOM_JSON_DATA,\"requestID\":\"$REQUEST_ID\"}" + else + WEBHOOK_DATA="{$JSON_WITH_OPEN_CLOSE_BRACKETS_STRIPPED,\"requestID\":\"$REQUEST_ID\"}" fi fi