Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save rbngzlv/6bb2d5578db40752d34b0c98db21e347 to your computer and use it in GitHub Desktop.
Save rbngzlv/6bb2d5578db40752d34b0c98db21e347 to your computer and use it in GitHub Desktop.
Hook.io webhook to prevent Github commits spoofed by the pusher (not authored by him. git allows you to modify commit authors at will, so you can impersonate other users)
// The hook variable has a bunch of information about the request, check hook.io's documentation to learn more about it
module['exports'] = function accessRequestData (hook) {
var request = require('request');
var OAuth_token = hook.env.token;
// After creating your token on Github.com -> Settings -> Personal access tokens,
// add the token as an environment variable names 'token' on hook.io.
var params = hook.params;
var pusher = params.pusher;
var repo = params.repository.full_name;
var sha = params.after;
var allow = true;
var commits = params.commits;
for(var commit in commits){
var author = commits[commit].author;
if(author.email !== pusher.email /*|| author.name !== pusher.name*/){
allow = false;
break;
}
}
if(allow){
var status = {"state": "success", "description": "All ok!", "context": "security"};
hook.res.write("Authorized.");
} else {
var status = {"state": "failure", "description": "Includes commits not from the pusher", "context": "security"};
hook.res.write("Denied: contains commits not from the pusher!");
}
var bodyString=JSON.stringify(status);
request.post({
url: "https://api.github.com/repos/" + repo + "/statuses/" + sha,
headers: {'User-Agent': 'Hook.io', 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(bodyString), 'Authorization': 'token ' + OAuth_token},
body: bodyString
}, function(error, response, body){
//hook.res.write(error);
//hook.res.write(response);
hook.res.write(body);
hook.res.write("done!");
hook.res.end();
});
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment