rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #4194 from quarkcore/fix/gitlab-empty-webhook-secret

Browse source 
Fix: Gitlab webhooks can be triggered without secret
This commit is contained in:
Andras Bacsai 2024-11-12 10:22:36 +01:00 committed by GitHub
commit da9c8eed16
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
app/Http/Controllers/Webhook/Gitlab.php
View file

@ -33,6 +33,7 @@ public function manual(Request $request)
return;
}
$return_payloads = collect([]);
$payload = $request->collect();
$headers = $request->headers->all();
@ -48,6 +49,16 @@ public function manual(Request $request)
return response($return_payloads);
}
if (empty($x_gitlab_token)) {
$return_payloads->push([
'status' => 'failed',
'message' => 'Invalid signature.',
]);
ray('Invalid signature');
return response($return_payloads);
}
if ($x_gitlab_event === 'push') {
$branch = data_get($payload, 'ref');
$full_name = data_get($payload, 'project.path_with_namespace');