alarsyo/lohr
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

lohr: validate webhook signature

Browse source 
Previously lohr was unusable in a production setting, anyone could forge
a malicious webhook and either:

- mirror a private repo of yours to another remote they own
- wipe a repo of yours by forcing mirroring from an empty mirror

This is no longer the case!
This commit is contained in:
Antoine Martin 2021-03-30 11:23:09 +02:00
parent 7134b7700f
commit 7e3c8b8f28
5 changed files with 156 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Cargo.toml
View file

@ -12,8 +12,12 @@ repository = "https://github.com/alarsyo/lohr"
[dependencies]
anyhow = "1.0.40"
hex = "0.4.3"
hmac = "0.10.1"
log = "0.4.14"
rocket = "0.4.7"
rocket_contrib = { version = "0.4.7", features = [ "json" ] }
serde = { version = "1.0.125", features = [ "derive" ] }
serde_json = "1.0.64"
serde_yaml = "0.8.17"
sha2 = "0.9.3"