From 493917d8b14fac50ca2ad8f6c8ffff0c0403a5e1 Mon Sep 17 00:00:00 2001 From: rubenwardy Date: Sat, 25 Jan 2020 00:04:56 +0000 Subject: [PATCH] Restrict webhooks to trusted users --- app/blueprints/github/__init__.py | 16 ++++++++++++---- app/templates/packages/view.html | 2 +- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/app/blueprints/github/__init__.py b/app/blueprints/github/__init__.py index d05dffce..e3ce8d7a 100644 --- a/app/blueprints/github/__init__.py +++ b/app/blueprints/github/__init__.py @@ -23,7 +23,7 @@ from flask_user import current_user, login_required from sqlalchemy import func from flask_github import GitHub from app import github, csrf -from app.models import db, User, APIToken, Package +from app.models import db, User, APIToken, Package, Permission from app.utils import loginUser, randomString from app.blueprints.api.support import error, handleCreateRelease import hmac, requests, json @@ -114,6 +114,9 @@ def webhook(): if actual_token is None: return error(403, "Invalid authentication") + if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE): + return error(403, "Only trusted members can use webhooks") + # # Check event # @@ -163,6 +166,10 @@ def setup_webhook(): if package is None: abort(404) + if not package.checkPerm(current_user, Permission.APPROVE_RELEASE): + flash("Only trusted members can use webhooks", "danger") + return redirect(package.getDetailsURL()) + gh_user, gh_repo = package.getGitHubFullName() if gh_user is None or gh_repo is None: flash("Unable to get Github full name from repo address", "danger") @@ -207,15 +214,16 @@ def setup_webhook(): db.session.commit() return redirect(package.getDetailsURL()) - elif r.status_code == 403: + elif r.status_code == 401 or r.status_code == 403: current_user.github_access_token = None db.session.commit() return github.authorize("write:repo_hook", \ redirect_uri=url_for("github.callback_webhook", pid=pid, _external=True)) else: - flash("Failed to create webhook, received response from Github: " + - str(r.json().get("message") or r.status_code), "danger") + flash("Failed to create webhook, received response from Github " + + str(r.status_code) + ": " + + str(r.json().get("message")), "danger") return render_template("github/setup_webhook.html", \ form=form, package=package) diff --git a/app/templates/packages/view.html b/app/templates/packages/view.html index e5ab1e41..9dce0d44 100644 --- a/app/templates/packages/view.html +++ b/app/templates/packages/view.html @@ -364,7 +364,7 @@ - {% if package.getIsOnGitHub() %} + {% if package.author == current_user and package.checkPerm(current_user, "APPROVE_RELEASE") and package.getIsOnGitHub() %}

Set up a webhook