drone · bradrydzewski · May 23, 2019 · May 15, 2019 · May 15, 2019 · May 15, 2019
diff --git a/scm/driver/gitea/webhook.go b/scm/driver/gitea/webhook.go
@@ -5,13 +5,15 @@
 package gitea
 
 import (
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
 
 	"github.com/drone/go-scm/scm"
+	"github.com/drone/go-scm/scm/driver/internal/hmac"
 )
 
 type webhookService struct {
@@ -58,7 +60,20 @@ func (s *webhookService) Parse(req *http.Request, fn scm.SecretFunc) (scm.Webhoo
 	}
 
 	secret := req.FormValue("secret")
-	if secret != key {
+	signature := req.Header.Get("X-Gitea-Signature")
+
+	// fail if no signature passed
+	if signature == "" && secret == "" {
+		return hook, scm.ErrSignatureInvalid
+	}
+
+	// test signature if header not set and secret is in payload
+	if signature == "" && secret != "" && secret != key {
+		return hook, scm.ErrSignatureInvalid
+	}
+
+	// test signature using header
+	if signature != "" && !hmac.Validate(sha256.New, data, []byte(key), signature) {
 		return hook, scm.ErrSignatureInvalid
 	}
 

diff --git a/scm/driver/gitea/webhook_test.go b/scm/driver/gitea/webhook_test.go
@@ -192,6 +192,7 @@ func TestWebhookInvalid(t *testing.T) {
 	r, _ := http.NewRequest("GET", "/?secert=xxxxxxinvalidxxxxx", bytes.NewBuffer(f))
 	r.Header.Set("X-Gitea-Event", "pull_request")
 	r.Header.Set("X-Gitea-Delivery", "ee8d97b4-1479-43f1-9cac-fbbd1b80da55")
+	r.Header.Set("X-Gitea-Signature", "failfailfailfail")
 
 	s := new(webhookService)
 	_, err := s.Parse(r, secretFunc)
@@ -205,6 +206,7 @@ func TestWebhook_Validated(t *testing.T) {
 	r, _ := http.NewRequest("GET", "/?secret=71295b197fa25f4356d2fb9965df3f2379d903d7", bytes.NewBuffer(f))
 	r.Header.Set("X-Gitea-Event", "pull_request")
 	r.Header.Set("X-Gitea-Delivery", "ee8d97b4-1479-43f1-9cac-fbbd1b80da55")
+	r.Header.Set("X-Gitea-Signature", "a31111f057bafe895837f4a93c0f1f528919c199a20438b1fc8e23485780a33a")
 
 	s := new(webhookService)
 	_, err := s.Parse(r, secretFunc)