readthedocs · ericholscher · Feb 27, 2019 · Nov 30, 2018 · Nov 30, 2018 · Dec 3, 2018
diff --git a/readthedocs/integrations/migrations/0004_add_integration_secret.py b/readthedocs/integrations/migrations/0004_add_integration_secret.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.16 on 2018-11-29 22:52
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import readthedocs.integrations.utils
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('integrations', '0003_add_missing_model_change_migrations'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='integration',
+            name='secret',
+            field=models.CharField(blank=True, default=readthedocs.integrations.utils.get_secret, max_length=255),
+        ),
+    ]
diff --git a/readthedocs/integrations/models.py b/readthedocs/integrations/models.py
@@ -30,6 +30,7 @@
 from rest_framework import status
 
 from readthedocs.core.fields import default_token
+from readthedocs.integrations.utils import get_secret
 from readthedocs.projects.models import Project
 
 from .utils import normalize_request_payload
@@ -268,6 +269,7 @@ class Integration(models.Model):
         'HttpExchange',
         related_query_name='integrations',
     )
+    secret = models.CharField(max_length=255, blank=True, default=get_secret)
 
     objects = IntegrationQuerySet.as_manager()
 

diff --git a/readthedocs/integrations/utils.py b/readthedocs/integrations/utils.py
@@ -1,7 +1,12 @@
 """Integration utility functions."""
 
+from __future__ import division, print_function, unicode_literals
 
-def normalize_request_payload(request):
+import json
+import os
+
+
+def normalize_request_payload(request_body, content_type):
     """
     Normalize the request body, hopefully to JSON.
 
@@ -12,12 +17,12 @@ def normalize_request_payload(request):
     :returns: The request body as a string
     :rtype: str
     """
-    request_payload = getattr(request, 'data', {})
-    if request.content_type != 'application/json':
+    if content_type != 'application/json':
         # Here, request_body can be a dict or a MergeDict. Probably best to
         # normalize everything first
-        try:
-            request_payload = dict(list(request_payload.items()))
-        except AttributeError:
-            pass
-    return request_payload
+        raise NotImplementedError
+    return json.loads(request_body)
+
+
+def get_secret(size=64):
+    return os.urandom(size).hex()
diff --git a/readthedocs/oauth/services/github.py b/readthedocs/oauth/services/github.py
@@ -170,6 +170,7 @@ def get_webhook_data(self, project, integration):
                                 'integration_pk': integration.pk}
                     )
                 ),
+                'secret': integration.secret,
                 'content_type': 'json',
             },
             'events': ['push', 'pull_request', 'create', 'delete'],

diff --git a/readthedocs/projects/forms.py b/readthedocs/projects/forms.py
@@ -712,7 +712,7 @@ class IntegrationForm(forms.ModelForm):
 
     class Meta(object):
         model = Integration
-        exclude = ['provider_data', 'exchanges']  # pylint: disable=modelform-uses-exclude
+        exclude = ['provider_data', 'exchanges', 'secret']  # pylint: disable=modelform-uses-exclude
 
     def __init__(self, *args, **kwargs):
         self.project = kwargs.pop('project', None)

diff --git a/readthedocs/restapi/views/integrations.py b/readthedocs/restapi/views/integrations.py
@@ -7,14 +7,16 @@
     unicode_literals,
 )
 
+import hashlib
+import hmac
 import json
 import logging
 import re
 
 import six
 from django.shortcuts import get_object_or_404
 from rest_framework import permissions
-from rest_framework.exceptions import NotFound, ParseError
+from rest_framework.exceptions import AuthenticationFailed, NotFound, ParseError
 from rest_framework.renderers import JSONRenderer
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -59,6 +61,9 @@ def post(self, request, project_slug):
             self.project = self.get_project(slug=project_slug)
         except Project.DoesNotExist:
             raise NotFound('Project not found')
+        self.body = self.request.stream.read().decode()
+        if not self.validate_payload():
+            raise AuthenticationFailed('Payload not valid')
         self.data = self.get_data()
         resp = self.handle_webhook()
         if resp is None:
@@ -83,12 +88,18 @@ def finalize_response(self, req, *args, **kwargs):
 
     def get_data(self):
         """Normalize posted data."""
-        return normalize_request_payload(self.request)
+        return normalize_request_payload(
+            self.body,
+            self.request.content_type
+        )
 
     def handle_webhook(self):
         """Handle webhook payload."""
         raise NotImplementedError
 
+    def validate_payload(self):
+        return True
+
     def get_integration(self):
         """
         Get or create an inbound webhook to track webhook requests.
@@ -178,6 +189,22 @@ def get_data(self):
                 pass
         return super(GitHubWebhookView, self).get_data()
 
+    def validate_payload(self):
+        signature = self.request.META['HTTP_X_HUB_SIGNATURE']
+        msg = self.body
+        key = self.get_integration().secret
+        digest = hmac.new(
+            key.encode(),
+            msg=msg.encode(),
+            digestmod=hashlib.sha1
+        ).hexdigest()
+        result = hmac.compare_digest(
+            b'sha1=' + digest.encode(),
+            signature.encode()
+        )
+        log.info('Valid payload? %s', result)
+        return result
+
     def handle_webhook(self):
         # Get event and trigger other webhook events
         event = self.request.META.get(GITHUB_EVENT_HEADER, GITHUB_PUSH)