artanis/BLIGHT--CUE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix webhook signature verification for Gitea

Browse Source 
Gitea sends X-Gitea-Signature as a raw hex digest with no scheme
prefix, unlike GitHub's sha256=<digest> format. Removed the prefix
parsing that was causing every request to fail validation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Spencer
2026-03-14 22:41:02 -05:00
parent a2adda20a8
commit 7f7ebc84d7
1 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
app.py
View File

@@ -20,19 +20,16 @@ app = Flask(__name__)
def _verify_signature(payload: bytes, signature_header: str | None) -> bool: def _verify_signature(payload: bytes, signature_header: str | None) -> bool:
"""Validate the Gitea webhook HMAC-SHA256 signature.""" """Validate the Gitea webhook HMAC-SHA256 signature.
Gitea sends X-Gitea-Signature as a raw hex digest (no scheme prefix).
"""
if not signature_header: if not signature_header:
return False return False
try:
scheme, provided_digest = signature_header.split("=", 1)
except ValueError:
return False
if scheme != "sha256":
return False
expected = hmac.new( expected = hmac.new(
config.WEBHOOK_SECRET.encode(), payload, hashlib.sha256 config.WEBHOOK_SECRET.encode(), payload, hashlib.sha256
).hexdigest() ).hexdigest()
return hmac.compare_digest(expected, provided_digest) return hmac.compare_digest(expected, signature_header.strip())
def _handle_push(owner: str, repo: str, changed_files: list[str]) -> None: def _handle_push(owner: str, repo: str, changed_files: list[str]) -> None: