Merge pull request #3 from JustPlayerDE/main

feat: Validate signature and payload from github

README.md

@@ -12,16 +12,18 @@ Relay sent webhooks for repository `push` events to your Discord server.
 2. **Unzip it** and **upload folder content** to your webhost
 
 ### With Composer
-1. **Download** ``relay.php`` and ``config.php`` files and **upload them** to your webhost
+1. **Download** ``relay.php`` and ``config.php`` files and **upload them** to your webhost  
 2. **Install** [Livaco Discord Webhook library](https://github.com/LivacoNew/EasyDiscordWebhook) using ``composer install`` command
 
 ---
 
 3. **Edit ``config.php`` to your likings**
-> For ``$dc_webhookurl``: Edit channel > Integrations > Webhooks > Create or select one > Copy Webhook URL
+> For ``$dc_webhookurl``: Edit channel > Integrations > Webhooks > Create or select one > Copy Webhook URL  
+> For ``$dc_secret``: You can set a secret, which will be used to verify the webhook's authenticity. (It needs to be the same as in your repository settings and should be secure.)
 4. In your **repository settings**, **add a Webhook** with the following details
 > Payload URL: `URL to your relay.php file` *(https://example.com/relay.php)*  
-> Content Type: `application/x-www-form-urlencoded`
+> Content Type: `application/x-www-form-urlencoded`  
+> Secret: Here you can enter a secret, which will be used to verify the webhook's authenticity. (It needs to be the same as in your config.php and should be secure.)
 5. Upon webhook creation, you should now receive a **message upon every push to the repository**
 > ![image](https://user-images.githubusercontent.com/64563384/223610428-4b47fafd-1f90-4e71-b515-7093bf83edb1.png)
 

config.php

@@ -3,4 +3,5 @@
 $dc_webhookurl = array("");    // Discord Webhooks to send to
 $dc_hiddenchar = "!";   // If commit message is prefixed with this character, it'll hidden it
 $dc_hiddenmsg = "This commit is private."; // Text to show if a commit message is hidden
-$dc_hiddenreps = array();  // An array containing repo names to hide - use short version, not Organization/repository
+$dc_hiddenreps = array();  // An array containing repo names to hide - use short version, not Organization/repository
+$dc_secret = ""; // Secret key to verify payload

relay.php

@@ -11,6 +11,7 @@
     "REQUEST_METHOD" => "POST",
     "HTTP_X_GITHUB_EVENT" => "push",
     "HTTP_USER_AGENT" => "GitHub-Hookshot/*",
+    "HTTP_X_HUB_SIGNATURE-256" => "sha256=*"
 );
 
 // Check if request is sent from GitHub - Credits: https://gist.github.com/jplitza/88d64ce351d38c2f4198
@@ -35,6 +36,26 @@ function verifyHeaders($received, $check, $name = "array") {
 $bHeaders = verifyHeaders($_SERVER, $aHeaders, "$_SERVER");
 if (!$bHeaders) { http_response_code(403); die("Forbidden\n"); }
 
+// Verify signature to make sure it's from GitHub
+try {
+    // Get signature and raw payload
+    $sSignature = $_SERVER["HTTP_X_HUB_SIGNATURE_256"];
+    $sRawPayload = file_get_contents("php://input");
+
+    // Get algorithm and hash from signature
+    list($sAlgo, $sHash) = explode("=", $sSignature, 2);
+
+    // Generate payload hash based on algorithm and secret
+    $sPayloadHash = hash_hmac($sAlgo, $sRawPayload, $dc_secret);
+
+    if ($sHash !== $sPayloadHash) {
+        http_response_code(403); die("Forbidden\n");
+    }
+} catch (Exception $e) {
+    // if something goes wrong, just die
+    http_response_code(403); die("Forbidden\n");
+}
+
 // Test if we got a payload or if someone accessed the website directly
 if (isset($_POST["payload"])) {
     $sPayload = $_POST["payload"];