diff --git a/README.md b/README.md index 27cba3f..9cada78 100644 --- a/README.md +++ b/README.md @@ -12,16 +12,18 @@ Relay sent webhooks for repository `push` events to your Discord server. 2. **Unzip it** and **upload folder content** to your webhost ### With Composer -1. **Download** ``relay.php`` and ``config.php`` files and **upload them** to your webhost +1. **Download** ``relay.php`` and ``config.php`` files and **upload them** to your webhost 2. **Install** [Livaco Discord Webhook library](https://github.com/LivacoNew/EasyDiscordWebhook) using ``composer install`` command --- 3. **Edit ``config.php`` to your likings** -> For ``$dc_webhookurl``: Edit channel > Integrations > Webhooks > Create or select one > Copy Webhook URL +> For ``$dc_webhookurl``: Edit channel > Integrations > Webhooks > Create or select one > Copy Webhook URL +> For ``$dc_secret``: You can set a secret, which will be used to verify the webhook's authenticity. (It needs to be the same as in your repository settings and should be secure.) 4. In your **repository settings**, **add a Webhook** with the following details > Payload URL: `URL to your relay.php file` *(https://example.com/relay.php)* -> Content Type: `application/x-www-form-urlencoded` +> Content Type: `application/x-www-form-urlencoded` +> Secret: Here you can enter a secret, which will be used to verify the webhook's authenticity. (It needs to be the same as in your config.php and should be secure.) 5. Upon webhook creation, you should now receive a **message upon every push to the repository** > ![image](https://user-images.githubusercontent.com/64563384/223610428-4b47fafd-1f90-4e71-b515-7093bf83edb1.png) diff --git a/config.php b/config.php index e547e57..68f5994 100644 --- a/config.php +++ b/config.php @@ -3,4 +3,5 @@ $dc_webhookurl = array(""); // Discord Webhooks to send to $dc_hiddenchar = "!"; // If commit message is prefixed with this character, it'll hidden it $dc_hiddenmsg = "This commit is private."; // Text to show if a commit message is hidden -$dc_hiddenreps = array(); // An array containing repo names to hide - use short version, not Organization/repository \ No newline at end of file +$dc_hiddenreps = array(); // An array containing repo names to hide - use short version, not Organization/repository +$dc_secret = ""; // Secret key to verify payload \ No newline at end of file diff --git a/relay.php b/relay.php index d5924ef..b93aad8 100644 --- a/relay.php +++ b/relay.php @@ -11,6 +11,7 @@ "REQUEST_METHOD" => "POST", "HTTP_X_GITHUB_EVENT" => "push", "HTTP_USER_AGENT" => "GitHub-Hookshot/*", + "HTTP_X_HUB_SIGNATURE-256" => "sha256=*" ); // Check if request is sent from GitHub - Credits: https://gist.github.com/jplitza/88d64ce351d38c2f4198 @@ -35,6 +36,26 @@ function verifyHeaders($received, $check, $name = "array") { $bHeaders = verifyHeaders($_SERVER, $aHeaders, "$_SERVER"); if (!$bHeaders) { http_response_code(403); die("Forbidden\n"); } +// Verify signature to make sure it's from GitHub +try { + // Get signature and raw payload + $sSignature = $_SERVER["HTTP_X_HUB_SIGNATURE_256"]; + $sRawPayload = file_get_contents("php://input"); + + // Get algorithm and hash from signature + list($sAlgo, $sHash) = explode("=", $sSignature, 2); + + // Generate payload hash based on algorithm and secret + $sPayloadHash = hash_hmac($sAlgo, $sRawPayload, $dc_secret); + + if ($sHash !== $sPayloadHash) { + http_response_code(403); die("Forbidden\n"); + } +} catch (Exception $e) { + // if something goes wrong, just die + http_response_code(403); die("Forbidden\n"); +} + // Test if we got a payload or if someone accessed the website directly if (isset($_POST["payload"])) { $sPayload = $_POST["payload"];