mirror of
https://github.com/coollabsio/coolify.git
synced 2026-06-14 03:19:51 +00:00
Andras Bacsai
c1518ba1c0
The manual webhook handlers selected target applications with a `git_repository LIKE %full_name%` substring query, so a payload repository name could match unintended applications when repository names overlap. Add a `MatchesManualWebhookApplications` trait that validates the incoming `owner/repo` value and matches `Application.git_repository` by exact normalized path. Github, Gitlab, Gitea and Bitbucket manual handlers now use it, reject invalid repository input early, and return a consistent generic webhook failure payload. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
99 lines
2.7 KiB
PHP
99 lines
2.7 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Controllers\Webhook\Concerns;
|
|
|
|
use App\Models\Application;
|
|
use Illuminate\Database\Eloquent\Builder;
|
|
use Illuminate\Support\Collection;
|
|
use Illuminate\Support\Str;
|
|
|
|
trait MatchesManualWebhookApplications
|
|
{
|
|
protected function manualWebhookRepositoryFullName(mixed $fullName): ?string
|
|
{
|
|
if (! is_string($fullName)) {
|
|
return null;
|
|
}
|
|
|
|
$fullName = trim($fullName, " \t\n\r\0\x0B/");
|
|
|
|
if ($fullName === '') {
|
|
return null;
|
|
}
|
|
|
|
if (! preg_match('/\A[A-Za-z0-9_.-]+(?:\/[A-Za-z0-9_.-]+)+\z/', $fullName)) {
|
|
return null;
|
|
}
|
|
|
|
return $this->normalizeManualWebhookRepositoryPath($fullName);
|
|
}
|
|
|
|
/**
|
|
* @return Collection<int, Application>
|
|
*/
|
|
protected function manualWebhookApplications(Builder $query, string $fullName): Collection
|
|
{
|
|
return $query->get()
|
|
->filter(fn (Application $application): bool => $this->manualWebhookRepositoryMatches($application->git_repository, $fullName))
|
|
->values();
|
|
}
|
|
|
|
protected function manualWebhookRepositoryMatches(?string $gitRepository, string $fullName): bool
|
|
{
|
|
$repositoryPath = $this->canonicalManualWebhookRepository($gitRepository);
|
|
|
|
return $repositoryPath !== null && hash_equals($fullName, $repositoryPath);
|
|
}
|
|
|
|
/**
|
|
* @return array{status: string, message: string}
|
|
*/
|
|
protected function unauthenticatedManualWebhookFailurePayload(): array
|
|
{
|
|
return [
|
|
'status' => 'failed',
|
|
'message' => 'Invalid signature.',
|
|
];
|
|
}
|
|
|
|
protected function canonicalManualWebhookRepository(?string $gitRepository): ?string
|
|
{
|
|
if (! is_string($gitRepository)) {
|
|
return null;
|
|
}
|
|
|
|
$gitRepository = trim($gitRepository);
|
|
|
|
if ($gitRepository === '') {
|
|
return null;
|
|
}
|
|
|
|
$path = null;
|
|
$parts = parse_url($gitRepository);
|
|
|
|
if (is_array($parts) && isset($parts['scheme'])) {
|
|
$path = data_get($parts, 'path');
|
|
} elseif (Str::startsWith($gitRepository, 'git@') && str_contains($gitRepository, ':')) {
|
|
$path = Str::after($gitRepository, ':');
|
|
} else {
|
|
$path = $gitRepository;
|
|
}
|
|
|
|
if (! is_string($path) || $path === '') {
|
|
return null;
|
|
}
|
|
|
|
return $this->normalizeManualWebhookRepositoryPath($path);
|
|
}
|
|
|
|
protected function normalizeManualWebhookRepositoryPath(string $path): string
|
|
{
|
|
$path = trim($path);
|
|
$path = strtok($path, '?#') ?: $path;
|
|
$path = trim($path, '/');
|
|
$path = preg_replace('/\.git\z/i', '', $path) ?? $path;
|
|
|
|
return $path;
|
|
}
|
|
}
|