mirrors/webhook
1
0
Fork 0
mirror of https://github.com/adnanh/webhook.git synced 2025-05-23 05:42:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update HTTP methods to sanitize user input

Browse source
This commit is contained in:
Cameron Moore 2019-12-26 14:51:40 -06:00
parent c38778ba62
commit a03e812615
5 changed files with 15 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
webhook.go
View file

@ -208,6 +208,10 @@ func main() {
r.HandleFunc(hooksURL, hookHandler)
} else {
allowed := strings.Split(*httpMethods, ",")
for i := range allowed {
allowed[i] = strings.TrimSpace(allowed[i])
}
r.HandleFunc(hooksURL, hookHandler).Methods(allowed...)
}
@ -257,7 +261,7 @@ func main() {
func hookHandler(w http.ResponseWriter, r *http.Request) {
rid := middleware.GetReqID(r.Context())
log.Printf("[%s] incoming HTTP request from %s\n", rid, r.RemoteAddr)
log.Printf("[%s] incoming HTTP %s request from %s\n", rid, r.Method, r.RemoteAddr)
id := mux.Vars(r)["id"]
@ -272,6 +276,10 @@ func hookHandler(w http.ResponseWriter, r *http.Request) {
if len(matchedHook.HTTPMethods) != 0 {
var allowed bool
for i := range matchedHook.HTTPMethods {
// TODO(moorereason): refactor config loading and reloading to
// sanitize these methods once at load time.
matchedHook.HTTPMethods[i] = strings.ToUpper(strings.TrimSpace(matchedHook.HTTPMethods[i]))
if matchedHook.HTTPMethods[i] == r.Method {
allowed = true
break
@ -280,6 +288,7 @@ func hookHandler(w http.ResponseWriter, r *http.Request) {
if !allowed {
w.WriteHeader(http.StatusMethodNotAllowed)
log.Printf("[%s] HTTP %s method not implemented for hook %q", rid, r.Method, id)
return
}
}