diff --git a/server/plugin/webhook.go b/server/plugin/webhook.go index b15a5bdff..c79e1759b 100644 --- a/server/plugin/webhook.go +++ b/server/plugin/webhook.go @@ -6,7 +6,7 @@ import ( "crypto/sha1" //nolint:gosec // GitHub webhooks are signed using sha1 https://developer.github.com/webhooks/. "encoding/hex" "encoding/json" - "io/ioutil" + "io" "net/http" "strings" "sync" @@ -147,13 +147,25 @@ func (wb *WebhookBroker) Close() { func (p *Plugin) handleWebhook(w http.ResponseWriter, r *http.Request) { config := p.getConfiguration() - signature := r.Header.Get("X-Hub-Signature") - body, err := ioutil.ReadAll(r.Body) + body, err := io.ReadAll(r.Body) if err != nil { http.Error(w, "Bad request body", http.StatusBadRequest) return } + signature := r.Header.Get("X-Hub-Signature") + valid, err := verifyWebhookSignature([]byte(config.WebhookSecret), signature, body) + if err != nil { + p.API.LogWarn("Failed to verify webhook signature", "error", err.Error()) + http.Error(w, "", http.StatusInternalServerError) + return + } + + if !valid { + http.Error(w, "Not authorized", http.StatusUnauthorized) + return + } + event, err := github.ParseWebHook(github.WebHookType(r), body) if err != nil { p.API.LogDebug("GitHub webhook content type should be set to \"application/json\"", "error", err.Error()) @@ -170,17 +182,6 @@ func (p *Plugin) handleWebhook(w http.ResponseWriter, r *http.Request) { } p.API.LogDebug("Webhook Event Log", "event", string(bodyByte)) } - valid, err := verifyWebhookSignature([]byte(config.WebhookSecret), signature, body) - if err != nil { - p.API.LogWarn("Failed to verify webhook signature", "error", err.Error()) - http.Error(w, "", http.StatusInternalServerError) - return - } - - if !valid { - http.Error(w, "Not authorized", http.StatusUnauthorized) - return - } var repo *github.Repository var handler func()