Add SHA-256 support for WebHookService by adding header X-Hub-Signature-256 (#3962)

Co-authored-by: Thomas Geier <thomas.geier@solidat.de>
2026-05-07 12:37:20 +02:00 · 2026-02-14 05:47:14 +01:00
parent 73ccfd0788
commit 8f2e0f8505
1 changed files with 28 additions and 25 deletions
--- a/src/main/scala/gitbucket/core/service/WebHookService.scala
+++ b/src/main/scala/gitbucket/core/service/WebHookService.scala
@@ -302,42 +302,45 @@ trait WebHookService {
            httpPost.addHeader("Content-Type", webHook.ctype.ctype)
            httpPost.addHeader("X-Github-Event", event.name)
            httpPost.addHeader("X-Github-Delivery", java.util.UUID.randomUUID().toString)
-
+            def addXHubSignature(content: Array[Byte]): Unit = {
+              webHook.token
+                .filter(_.trim.nonEmpty)
+                .foreach { token =>
+                  // https://developer.github.com/webhooks/securing/#validating-payloads-from-github
+                  // SHA1 is required for backward compatibility, but SHA256 is recommended.
+                  httpPost.addHeader(
+                    "X-Hub-Signature",
+                    XHub.generateHeaderXHubToken(
+                      XHubConverter.HEXA_LOWERCASE,
+                      XHubDigest.SHA1,
+                      token,
+                      content
+                    )
+                  )
+                  httpPost.addHeader(
+                    "X-Hub-Signature-256",
+                    XHub.generateHeaderXHubToken(
+                      XHubConverter.HEXA_LOWERCASE,
+                      XHubDigest.SHA256,
+                      token,
+                      content
+                    )
+                  )
+                }
+            }
            webHook.ctype match {
              case WebHookContentType.FORM => {
                val params: java.util.List[NameValuePair] = new java.util.ArrayList()
                params.add(new BasicNameValuePair("payload", json))
                def postContent = new UrlEncodedFormEntity(params, "UTF-8")
                httpPost.setEntity(postContent)
-                if (webHook.token.exists(_.trim.nonEmpty)) {
-                  // TODO find a better way and see how to extract content from postContent
-                  val contentAsBytes = URLEncodedUtils.format(params, "UTF-8").getBytes("UTF-8")
-                  httpPost.addHeader(
-                    "X-Hub-Signature",
-                    XHub.generateHeaderXHubToken(
-                      XHubConverter.HEXA_LOWERCASE,
-                      XHubDigest.SHA1,
-                      webHook.token.get,
-                      contentAsBytes
-                    )
-                  )
-                }
+                addXHubSignature(URLEncodedUtils.format(params, "UTF-8").getBytes("UTF-8"))
              }
              case WebHookContentType.JSON => {
                httpPost.setEntity(
                  EntityBuilder.create().setContentType(ContentType.APPLICATION_JSON).setText(json).build()
                )
-                if (webHook.token.exists(_.trim.nonEmpty)) {
-                  httpPost.addHeader(
-                    "X-Hub-Signature",
-                    XHub.generateHeaderXHubToken(
-                      XHubConverter.HEXA_LOWERCASE,
-                      XHubDigest.SHA1,
-                      webHook.token.orNull,
-                      json.getBytes("UTF-8")
-                    )
-                  )
-                }
+                addXHubSignature(json.getBytes("UTF-8"))
              }
            }