Verify GitLab headers on push webhook

Gitlab sends the 'X-Gitlab-Event' header for all the webhook requests. Verify it so we reduce the chance that robots call the hooks accidentally. Signed off by: Daniel Miranda <danielkza2@gmail.com>

Verify GitLab headers on push webhook
Gitlab sends the 'X-Gitlab-Event' header for all the webhook requests. Verify it so we reduce the chance that robots call the hooks accidentally. Signed off by: Daniel Miranda <danielkza2@gmail.com>
Heitor
1 parent bd6b0bc9
Showing 2 changed files with 27 additions and 12 deletions Show diff stats
app/controllers/repositories_controller.rb
spec/controllers/repositories_controller_spec.rb
@@ -97,13 +97,17 @@ class RepositoriesController &lt; ApplicationController
   end
  
   def notify_push
+    gitlab_event = request.headers['X-Gitlab-Event']
+    if gitlab_event.nil? || !gitlab_event.end_with?('Push Hook')
+      return render nothing: true, status: :unprocessable_entity
+    end
     set_repository
-    @repository.cancel_processing_of_repository if @repository.last_processing_state.end_with? 'ING'
+    @repository.cancel_processing_of_repository unless %w(READY, ERROR).include? @repository.last_processing_state
     @repository.process
-    render :nothing => true, :status => :ok
+    render nothing: true, status: :ok
   end
  
-private
+  private
   def set_project_id_repository_types_and_configurations
     @project_id = params[:project_id]
     @repository_types = Repository.repository_types
@@ -475,9 +475,14 @@ describe RepositoriesController, :type =&gt; :controller do
   end
  
   describe 'notify_push' do
-    context 'with a valid repository' do
-      let(:repository) { FactoryGirl.build(:repository) }
+    let(:repository) { FactoryGirl.build(:repository) }
  
+    def post_push
+      @request.env['HTTP_X_GITLAB_EVENT'] = ['Push Hook', 'Tag Push Hook'].sample
+      post :notify_push, id: repository.id
+    end
+
+    context 'with a valid repository' do
       before :each do
         Repository.expects(:find).with(repository.id).returns(repository)
       end
@@ -487,7 +492,7 @@ describe RepositoriesController, :type =&gt; :controller do
           repository.expects(:last_processing_state).returns('INTERPRETING')
           repository.expects(:cancel_processing_of_repository).once
           repository.expects(:process).once
-          post :notify_push, id: repository.id
+          post_push
         end
  
         it { is_expected.to respond_with(:ok) }
@@ -497,7 +502,7 @@ describe RepositoriesController, :type =&gt; :controller do
         before do
           repository.expects(:last_processing_state).returns('ERROR')
           repository.expects(:process).once
-          post :notify_push, id: repository.id
+          post_push
         end
  
         it { is_expected.to respond_with(:ok) }
@@ -507,7 +512,7 @@ describe RepositoriesController, :type =&gt; :controller do
         before do
           repository.expects(:last_processing_state).returns('READY')
           repository.expects(:process).once
-          post :notify_push, id: repository.id
+          post_push
         end
  
         it { is_expected.to respond_with(:ok) }
@@ -515,14 +520,20 @@ describe RepositoriesController, :type =&gt; :controller do
     end
  
     context 'with an invalid repository' do
-      let(:repository_id) { 1 }
-
       before :each do
-        Repository.expects(:find).with(repository_id).raises(KalibroClient::Errors::RecordNotFound)
-        post :notify_push, id: repository_id
+        Repository.expects(:find).with(repository.id).raises(KalibroClient::Errors::RecordNotFound)
+        post_push
       end
  
       it { is_expected.to respond_with(:not_found) }
     end
+
+    context 'with an invalid header' do
+      before :each do
+        post :notify_push, id: repository.id
+      end
+
+      it { is_expected.to respond_with(:unprocessable_entity) }
+    end
   end
 end
...	...	@@ -97,13 +97,17 @@ class RepositoriesController < ApplicationController
97	97	end
98	98
99	99	def notify_push
	100	+ gitlab_event = request.headers['X-Gitlab-Event']
	101	+ if gitlab_event.nil? \|\| !gitlab_event.end_with?('Push Hook')
	102	+ return render nothing: true, status: :unprocessable_entity
	103	+ end
100	104	set_repository
101		- @repository.cancel_processing_of_repository if @repository.last_processing_state.end_with? 'ING'
	105	+ @repository.cancel_processing_of_repository unless %w(READY, ERROR).include? @repository.last_processing_state
102	106	@repository.process
103		- render :nothing => true, :status => :ok
	107	+ render nothing: true, status: :ok
104	108	end
105	109
106		-private
	110	+ private
107	111	def set_project_id_repository_types_and_configurations
108	112	@project_id = params[:project_id]
109	113	@repository_types = Repository.repository_types
...	...
...	...	@@ -475,9 +475,14 @@ describe RepositoriesController, :type => :controller do
475	475	end
476	476
477	477	describe 'notify_push' do
478		- context 'with a valid repository' do
479		- let(:repository) { FactoryGirl.build(:repository) }
	478	+ let(:repository) { FactoryGirl.build(:repository) }
480	479
	480	+ def post_push
	481	+ @request.env['HTTP_X_GITLAB_EVENT'] = ['Push Hook', 'Tag Push Hook'].sample
	482	+ post :notify_push, id: repository.id
	483	+ end
	484	+
	485	+ context 'with a valid repository' do
481	486	before :each do
482	487	Repository.expects(:find).with(repository.id).returns(repository)
483	488	end
...	...	@@ -487,7 +492,7 @@ describe RepositoriesController, :type => :controller do
487	492	repository.expects(:last_processing_state).returns('INTERPRETING')
488	493	repository.expects(:cancel_processing_of_repository).once
489	494	repository.expects(:process).once
490		- post :notify_push, id: repository.id
	495	+ post_push
491	496	end
492	497
493	498	it { is_expected.to respond_with(:ok) }
...	...	@@ -497,7 +502,7 @@ describe RepositoriesController, :type => :controller do
497	502	before do
498	503	repository.expects(:last_processing_state).returns('ERROR')
499	504	repository.expects(:process).once
500		- post :notify_push, id: repository.id
	505	+ post_push
501	506	end
502	507
503	508	it { is_expected.to respond_with(:ok) }
...	...	@@ -507,7 +512,7 @@ describe RepositoriesController, :type => :controller do
507	512	before do
508	513	repository.expects(:last_processing_state).returns('READY')
509	514	repository.expects(:process).once
510		- post :notify_push, id: repository.id
	515	+ post_push
511	516	end
512	517
513	518	it { is_expected.to respond_with(:ok) }
...	...	@@ -515,14 +520,20 @@ describe RepositoriesController, :type => :controller do
515	520	end
516	521
517	522	context 'with an invalid repository' do
518		- let(:repository_id) { 1 }
519		-
520	523	before :each do
521		- Repository.expects(:find).with(repository_id).raises(KalibroClient::Errors::RecordNotFound)
522		- post :notify_push, id: repository_id
	524	+ Repository.expects(:find).with(repository.id).raises(KalibroClient::Errors::RecordNotFound)
	525	+ post_push
523	526	end
524	527
525	528	it { is_expected.to respond_with(:not_found) }
526	529	end
	530	+
	531	+ context 'with an invalid header' do
	532	+ before :each do
	533	+ post :notify_push, id: repository.id
	534	+ end
	535	+
	536	+ it { is_expected.to respond_with(:unprocessable_entity) }
	537	+ end
527	538	end
528	539	end
...	...