Merge pull request #20 from developmentseed/Phillipmartin-validate_x_hub_sig

Phillipmartin validate x hub sig

2 files changed, 26 insertions, 1 deletions

diff --git a/config.sample.json b/config.sample.json
index 01da368..eba0920 100644
--- a/config.sample.json
+++ b/config.sample.json
@@ -6,6 +6,7 @@
         "build": "./scripts/build.sh",
         "publish": "./scripts/publish.sh"
     },
+    "secret": "",
     "email": {
         "isActivated": false,
         "user": "",
diff --git a/jekyll-hook.js b/jekyll-hook.js
index e75a9f3..ab1d6a9 100755
--- a/jekyll-hook.js
+++ b/jekyll-hook.js
@@ -9,8 +9,32 @@ var tasks   = queue(1);
 var spawn   = require('child_process').spawn;
 var email   = require('emailjs/email');
 var mailer  = email.server.connect(config.email);
+var crypto  = require('crypto');
+var hmac    = crypto.createHmac('sha1', config.secret);
 
-app.use(express.bodyParser());
+app.use(express.bodyParser({
+    verify: function(req,res,buffer){
+        if(!req.headers['x-hub-signature']){
+            return;
+        }
+
+        if(!config.secret || config.secret==""){
+            console.log("Recieved a X-Hub-Signature header, but cannot validate as no secret is configured");
+            return;
+        }
+
+        var recieved_sig = req.headers['x-hub-signature'].split('=')[1];
+        var computed_sig = hmac.update(buffer).digest('hex');
+
+        if(recieved_sig != computed_sig){
+            console.warn('Recieved an invalid HMAC: calculated:' + computed_sig + ' != recieved:' + recieved_sig);
+            var err = new Error('Invalid Signature');
+            err.status = 403;
+            throw err;
+        }
+    }
+
+}));
 
 // Receive webhook post
 app.post('/hooks/jekyll/:branch', function(req, res) {