coolify

references/coolify

Fork 0

mirror of https://github.com/coollabsio/coolify.git synced 2026-06-14 03:19:51 +00:00

Commit Graph

Author	SHA1	Message	Date
Andras Bacsai	c1518ba1c0	fix(webhook): match manual webhook repositories exactly The manual webhook handlers selected target applications with a `git_repository LIKE %full_name%` substring query, so a payload repository name could match unintended applications when repository names overlap. Add a `MatchesManualWebhookApplications` trait that validates the incoming `owner/repo` value and matches `Application.git_repository` by exact normalized path. Github, Gitlab, Gitea and Bitbucket manual handlers now use it, reject invalid repository input early, and return a consistent generic webhook failure payload. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-22 15:32:44 +02:00
Andras Bacsai	bafb9a5a8b	refactor(webhook): encrypt manual webhook secrets and tighten HMAC verification - Auto-generate a 40-char random secret for each manual_webhook_secret_* column on Application creation so new apps are never left with an empty secret. - Add encrypted cast for the four webhook-secret columns; backfill migration re-encrypts existing plaintext values and fills missing ones. - Reject webhook deliveries when the stored secret is empty (GitHub, GitLab, Bitbucket, Gitea manual endpoints). - Bitbucket: require the sha256 algorithm prefix on X-Hub-Signature instead of trusting the client-supplied algo. - GitLab: drop the ?? '' fallback on the token comparison. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-19 12:52:23 +02:00

Author

SHA1

Message

Date

Andras Bacsai

c1518ba1c0

fix(webhook): match manual webhook repositories exactly

The manual webhook handlers selected target applications with a
`git_repository LIKE %full_name%` substring query, so a payload
repository name could match unintended applications when repository
names overlap.

Add a `MatchesManualWebhookApplications` trait that validates the
incoming `owner/repo` value and matches `Application.git_repository`
by exact normalized path. Github, Gitlab, Gitea and Bitbucket manual
handlers now use it, reject invalid repository input early, and return
a consistent generic webhook failure payload.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-22 15:32:44 +02:00

Andras Bacsai

bafb9a5a8b

refactor(webhook): encrypt manual webhook secrets and tighten HMAC verification

- Auto-generate a 40-char random secret for each manual_webhook_secret_* column on Application creation so new apps are never left with an empty secret.
- Add encrypted cast for the four webhook-secret columns; backfill migration re-encrypts existing plaintext values and fills missing ones.
- Reject webhook deliveries when the stored secret is empty (GitHub, GitLab, Bitbucket, Gitea manual endpoints).
- Bitbucket: require the sha256 algorithm prefix on X-Hub-Signature instead of trusting the client-supplied algo.
- GitLab: drop the ?? '' fallback on the token comparison.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-19 12:52:23 +02:00

2 Commits