paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-06 15:03:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

webhooks: Support filtering GitHub activity from private repositories.

Browse Source 
Currently, the GitHub webhook sends activity from both public and private
repositories, which could lead to unintended disclosure of sensitive
information from private repositories.

This commit introduces a ignore_private_repositories parameter to the
webhook URL. When set to true, the webhook ignore processing activity from
private repositories, ensuring that such activities are not posted to
Zulip streams. By default, if the parameter is omitted or set to false,
activities from both public and private repositories are processed
normally. This provides users with the flexibility to control the
visibility of private repository activities without altering the default
behavior.

More importantly, this introduces a cleaner mechanism for individual
incoming webhooks to declare support for settings not common to all
webhook integrations.

Fixes #31638.
This commit is contained in:
Aditya Kumar Kasaudhan
2024-09-20 15:11:30 +05:30
committed by Tim Abbott
parent fdf90f7ad1
commit d1ff871523
20 changed files with 927 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
zerver/webhooks/github/view.py
View File

@@ -3,6 +3,7 @@ from collections.abc import Callable
from datetime import datetime, timezone
from django.http import HttpRequest, HttpResponse
from pydantic import Json
from zerver.decorator import log_unsupported_webhook_event, webhook_view
from zerver.lib.exceptions import UnsupportedWebhookEventTypeError
@@ -899,6 +900,7 @@ def api_github_webhook(
payload: JsonBodyPayload[WildValue],
branches: str | None = None,
user_specified_topic: OptionalUserSpecifiedTopicStr = None,
ignore_private_repositories: Json[bool] = False,
) -> HttpResponse:
"""
GitHub sends the event as an HTTP header. We have our
@@ -908,6 +910,15 @@ def api_github_webhook(
"""
header_event = validate_extract_webhook_http_header(request, "X-GitHub-Event", "GitHub")
# Check if the repository is private and skip processing if ignore_private_repositories is True
if (
"repository" in payload
and payload["repository"]["private"].tame(check_bool)
and ignore_private_repositories
):
# Ignore private repository events
return json_success(request)
event = get_zulip_event_name(header_event, payload, branches)
if event is None:
# This is nothing to worry about--get_event() returns None