rpert/gitea-search
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix webhook signature validation, bump to v1.0.2

Browse Source 
- Skip HMAC validation when X-Gitea-Signature header is absent
  (Gitea 1.25.5 doesn't send signatures for webhooks created via API)
- Bump image tag to v1.0.2
- Gitea app.ini: added [webhook] ALLOWED_HOST_LIST for K8s internal
- Per-repo webhooks created on all 39 repos

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Raymond Scott Pert
2026-04-08 05:05:29 +00:00
parent 69602231a4
commit 2082c6c4c5
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/indexer/main.go
View File

@@ -203,10 +203,10 @@ func cmdWebhook() {
return
}
// Validate HMAC signature if secret is configured
// Validate HMAC signature if secret is configured AND header is present
if webhookSecret != "" {
sig := r.Header.Get("X-Gitea-Signature")
if !validateSignature(body, sig, webhookSecret) {
if sig != "" && !validateSignature(body, sig, webhookSecret) {
log.Printf("Invalid webhook signature")
http.Error(w, "invalid signature", http.StatusUnauthorized)
return