Merge pull request #4194 from quarkcore/fix/gitlab-empty-webhook-secret

Fix: Gitlab webhooks can be triggered without secret
2024-11-12 10:22:36 +01:00
parent f0985a7e47 8ddc5d6ef7
commit da9c8eed16
1 changed files with 11 additions and 0 deletions
--- a/app/Http/Controllers/Webhook/Gitlab.php
+++ b/app/Http/Controllers/Webhook/Gitlab.php
@@ -33,6 +33,7 @@ class Gitlab extends Controller

                return;
            }
+
            $return_payloads = collect([]);
            $payload = $request->collect();
            $headers = $request->headers->all();
@@ -48,6 +49,16 @@ class Gitlab extends Controller
                return response($return_payloads);
            }

+            if (empty($x_gitlab_token)) {
+                $return_payloads->push([
+                    'status' => 'failed',
+                    'message' => 'Invalid signature.',
+                ]);
+                ray('Invalid signature');
+
+                return response($return_payloads);
+            }
+
            if ($x_gitlab_event === 'push') {
                $branch = data_get($payload, 'ref');
                $full_name = data_get($payload, 'project.path_with_namespace');