lohr: validate webhook signature
Previously lohr was unusable in a production setting, anyone could forge a malicious webhook and either: - mirror a private repo of yours to another remote they own - wipe a repo of yours by forcing mirroring from an empty mirror This is no longer the case!
This commit is contained in:
parent
7134b7700f
commit
7e3c8b8f28
5 changed files with 156 additions and 5 deletions
10
Cargo.lock
generated
10
Cargo.lock
generated
|
|
@ -336,6 +336,12 @@ dependencies = [
|
|||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hex"
|
||||
version = "0.4.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
|
||||
|
||||
[[package]]
|
||||
name = "hkdf"
|
||||
version = "0.10.0"
|
||||
|
|
@ -494,11 +500,15 @@ name = "lohr"
|
|||
version = "0.2.1"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"hex",
|
||||
"hmac",
|
||||
"log 0.4.14",
|
||||
"rocket",
|
||||
"rocket_contrib",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"serde_yaml",
|
||||
"sha2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue