From ab430e4843362ea179742da93419e55e05a13cf5 Mon Sep 17 00:00:00 2001 From: Yasunari Watanabe Date: Fri, 25 Dec 2020 15:54:28 +0800 Subject: [PATCH] add option to restrict handling of GH payloads to certain repo urls --- lib/action.ml | 8 ++++++++ lib/config.atd | 1 + 2 files changed, 9 insertions(+) diff --git a/lib/action.ml b/lib/action.ml index b8108715..7cdb0514 100644 --- a/lib/action.ml +++ b/lib/action.ml @@ -223,6 +223,11 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct let signing_key = Context.gh_hook_token_of_secrets secrets repo.url in Github.validate_signature ?signing_key ~headers body in + let repo_is_allowed secrets payload = + let repo = Github.repo_of_notification payload in + let allowed_repositories = secrets.allowed_repositories in + List.is_empty allowed_repositories || List.exists allowed_repositories ~f:(String.equal repo.url) + in try%lwt let secrets = Context.get_secrets_exn ctx in match Github.parse_exn headers body with @@ -231,6 +236,9 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct match validate_signature secrets payload with | Error e -> action_error e | Ok () -> + match repo_is_allowed secrets payload with + | false -> action_error "unsupported repository" + | true -> ( match%lwt refresh_repo_config ctx payload with | Error e -> action_error e | Ok () -> diff --git a/lib/config.atd b/lib/config.atd index cd5d2d12..1fcd092a 100644 --- a/lib/config.atd +++ b/lib/config.atd @@ -49,4 +49,5 @@ type secrets = { ?gh_token : string option; (* GitHub personal access token, if repo access requires it *) ?gh_hook_token : string option; (* GitHub webhook token to secure the webhook *) ~repositories : gh_repo_secrets map_as_object; + ~allowed_repositories : string list; (* whitelist of repository URLs to handle notifications for *) }