From 0e6ce5357e72799eff587f8ed3c664b1635256f4 Mon Sep 17 00:00:00 2001
From: Philip Martin <pmartin@palantir.com>
Date: Tue, 3 Jun 2014 10:31:23 -0700
Subject: Add the ability to validate the X-Hub-Signature header

---
 config.sample.json |  1 +
 jekyll-hook.js     | 26 +++++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/config.sample.json b/config.sample.json
index 1ad82cf..40fba54 100644
--- a/config.sample.json
+++ b/config.sample.json
@@ -5,6 +5,7 @@
         "build": "./scripts/build.sh",
         "publish": "./scripts/publish.sh"
     },
+    "secret": "",
     "email": {
         "user": "", 
         "password": "", 
diff --git a/jekyll-hook.js b/jekyll-hook.js
index 5154fd6..dcc1410 100755
--- a/jekyll-hook.js
+++ b/jekyll-hook.js
@@ -9,8 +9,32 @@ var tasks   = queue(1);
 var spawn   = require('child_process').spawn;
 var email   = require('emailjs/email');
 var mailer  = email.server.connect(config.email);
+var crypto  = require('crypto');
 
-app.use(express.bodyParser());
+app.use(express.bodyParser({
+    verify: function(req,res,buffer){
+        if(!req.headers['x-hub-signature']){
+            return;
+        }
+
+        if(!config.secret || config.secret==""){
+            console.log("Recieved a X-Hub-Signature header, but cannot validate as no secret is configured");
+            return;
+        }
+
+        var hmac = crypto.createHmac('sha1', config.secret);
+        var recieved_sig = req.headers['x-hub-signature'].split('=')[1];
+        var computed_sig = hmac.update(buffer).digest('hex');
+
+        if(recieved_sig != computed_sig){
+            console.warn('Recieved an invalid HMAC: calculated:' + computed_sig + ' != recieved:' + recieved_sig);
+            var err = new Error('Invalid Signature');
+            err.status = 403;
+            throw err;
+        }
+    }
+
+}));
 
 // Receive webhook post
 app.post('/hooks/jekyll/:branch', function(req, res) {
-- 
cgit v1.2.3