Fix broken webhook verifier (#1145)

pluralsh · Jul 5, 2024 · b986de9 · b986de9
1 parent a7e2a4a
commit b986de9
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/charts/controller/templates/manager-rbac.yaml b/charts/controller/templates/manager-rbac.yaml
@@ -20,9 +20,12 @@ rules:
   resources:
   - secrets
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch
+  - update
   - watch
 - apiGroups:
   - deployments.plural.sh

diff --git a/lib/console_web/controllers/webhook_controller.ex b/lib/console_web/controllers/webhook_controller.ex
@@ -45,7 +45,7 @@ defmodule ConsoleWeb.WebhookController do
 
   defp verify(conn, %ScmWebhook{type: :github, hmac: hmac}) do
     with [signature] <- get_req_header(conn, "x-hub-signature-256"),
-         computed = :crypto.mac(:hmac, :sha256, hmac, conn.assigns.raw_body),
+         computed = :crypto.mac(:hmac, :sha256, hmac, Enum.reverse(conn.assigns.raw_body)),
          true <- Plug.Crypto.secure_compare(signature, "sha256=#{Base.encode16(computed, case: :lower)}") do
       :ok
     else

diff --git a/lib/console_web/plugs/cached_body_reader.ex b/lib/console_web/plugs/cached_body_reader.ex
@@ -7,5 +7,5 @@ defmodule ConsoleWeb.CacheBodyReader do
     end
   end
 
-  defp append_body(conn, body), do: update_in(conn.assigns[:raw_body], &[body | (&1 || [])])
+  defp append_body(conn, body), do: update_in(conn.assigns[:raw_body], & [body | (&1 || [])])
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -20,9 +20,12 @@ rules: @@
       resources:
       - secrets
       verbs:
+      - create
+      - delete
       - get
       - list
       - patch
+      - update
       - watch
     - apiGroups:
       - deployments.plural.sh
@@ Expand Down @@