diff --git a/server.js b/server.js index f8fea09..6675ad7 100644 --- a/server.js +++ b/server.js @@ -416,27 +416,27 @@ function addGHHook(app, path) { if (eventType !== "pull_request" && eventType !== "issue_comment") return ok(res); if (eventType === "issue_comment" && !event.issue.pull_request) return ok(res); - var owner = event.repository.owner.login - , repo = event.repository.full_name - , repoShortname = event.repository.name - , repoId = event.repository.id + const owner = event.repository.owner.login + , repo = event.repository.full_name + , repoShortname = event.repository.name + , repoId = event.repository.id + , statusData = { + owner, + shortName: repoShortname, + sha: event.pull_request.head.sha, + payload: { + state: "failure", + target_url: `${config.url}pr/id/${owner}/${repoShortname}/${event.number}`, + context: "ipr" + } + } ; store.getSecret(repo, async function (err, data) { + const { token } = await doAsync(store).getToken(owner) + , gh = new GH({ accessToken: token }); if (err || !data) { try { - const { token } = await doAsync(store).getToken(owner); - const gh = new GH({ accessToken: token }); - const statusData = { - owner, - shortName: repoShortname, - sha: event.pull_request.head.sha, - payload: { - state: "failure", - target_url: `${config.url}pr/id/${owner}/${repoShortname}/${event.number}`, - description: `The repository manager doesn't know the following repository: ${repo}`, - context: "ipr" - } - }; + statusData.payload.description = `The repository manager doesn't know the following repository: ${repo}`; gh.status(statusData, err => { if (err) { console.log(err); @@ -450,7 +450,16 @@ function addGHHook(app, path) { } // we have the secret, crypto check becomes possible - if (!GH.checkPayloadSignature("sha256", data.secret, buffer, req.headers["x-hub-signature-256"])) return error(res, "GitHub signature does not match known secret for " + repo + "."); + if (!GH.checkPayloadSignature("sha256", data.secret, buffer, req.headers["x-hub-signature-256"])) { + statusData.payload.description = `GitHub signature does not match known secret for ${repo}.`; + gh.status(statusData, err => { + if (err) { + console.log(err); + log.error(err); + } + }); + return error(res, `GitHub signature does not match known secret for ${repo}.`); + } // for status we need: owner, repoShort, and sha var repoShort = event.repository.name diff --git a/test/server-spec.js b/test/server-spec.js index 88d379c..4b4168c 100644 --- a/test/server-spec.js +++ b/test/server-spec.js @@ -644,6 +644,16 @@ describe('Server manages requests from advanced privileged users in a set up rep .expect(500, done); }); + it('reacts to pull requests notifications with the wrong signature', function testWrongSignature(done) { + mockPRStatus(testPR, 'failure', /GitHub signature does not match known secret for .*/); + + req.post('/' + config.hookPath) + .send(testPR) + .set('X-Github-Event', 'pull_request') + .set('X-Hub-Signature-256', GH.signPayload("sha256", Array(20).join("@"), new Buffer(JSON.stringify(testPR)))) + .expect(500, done); + }); + it('reacts to pull requests notifications from GH users without a known W3C account', function testPullRequestNotif(done) { mockPRStatus(testPR, 'pending', /.*/); nock('https://api.github.com')