Skip to content

Instantly share code, notes, and snippets.

@ric2b
Created October 5, 2016 18:17
Show Gist options
  • Save ric2b/7e65f4f00c212f1a42eb4e4b40d23fcd to your computer and use it in GitHub Desktop.
Save ric2b/7e65f4f00c212f1a42eb4e4b40d23fcd to your computer and use it in GitHub Desktop.
Hook.io webhook to prevent Github commits spoofed by the pusher (not authored by him. git allows you to modify commit authors at will, so you can impersonate other users)
// The hook variable has a bunch of information about the request, check hook.io's documentation to learn more about it
module['exports'] = function accessRequestData (hook) {
var request = require('request');
var OAuth_token = hook.env.token;
// After creating your token on Github.com -> Settings -> Personal access tokens,
// add the token as an environment variable names 'token' on hook.io.
var params = hook.params;
var pusher = params.pusher;
var repo = params.repository.full_name;
var sha = params.after;
var allow = true;
var commits = params.commits;
for(var commit in commits){
var author = commits[commit].author;
if(author.email !== pusher.email /*|| author.name !== pusher.name*/){
allow = false;
break;
}
}
if(allow){
var status = {"state": "success", "description": "All ok!", "context": "security"};
hook.res.write("Authorized.");
} else {
var status = {"state": "failure", "description": "Includes commits not from the pusher", "context": "security"};
hook.res.write("Denied: contains commits not from the pusher!");
}
var bodyString=JSON.stringify(status);
request.post({
url: "https://api.github.com/repos/" + repo + "/statuses/" + sha,
headers: {'User-Agent': 'Hook.io', 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(bodyString), 'Authorization': 'token ' + OAuth_token},
body: bodyString
}, function(error, response, body){
//hook.res.write(error);
//hook.res.write(response);
hook.res.write(body);
hook.res.write("done!");
hook.res.end();
});
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment