clz/billai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(webhook): harden security and reliability

Browse Source 
- Require non-default WEBHOOK_SECRET\n- Strict main/master ref matching\n- Constant-time HMAC signature check\n- Limit request body and add server timeouts\n- Single-flight deploy lock; pass ref/commit to deploy.sh\n- deploy.sh deploys correct branch (main/master)
This commit is contained in:
CHE LIANG ZHAO
2026-01-16 14:06:10 +08:00
parent 3b7c1cd82b
commit 339b8afe98
2 changed files with 122 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
deploy.sh
View File

@@ -8,6 +8,10 @@ set -e
REPO_ROOT="/app" REPO_ROOT="/app"
LOG_FILE="/tmp/billai_deploy.log" LOG_FILE="/tmp/billai_deploy.log"
# 可由 webhook 传入GIT_REF=refs/heads/main 或 refs/heads/master
GIT_REF="${GIT_REF:-}"
GIT_COMMIT="${GIT_COMMIT:-}"
# 颜色输出 # 颜色输出
RED='\033[0;31m' RED='\033[0;31m'
GREEN='\033[0;32m' GREEN='\033[0;32m'
@@ -36,13 +40,39 @@ log "=========================================="
cd "$REPO_ROOT" || error "无法进入仓库目录: $REPO_ROOT" cd "$REPO_ROOT" || error "无法进入仓库目录: $REPO_ROOT"
log "📁 工作目录: $(pwd)" log "📁 工作目录: $(pwd)"
if [ -n "$GIT_REF" ]; then
log "🌿 触发分支: $GIT_REF"
fi
if [ -n "$GIT_COMMIT" ]; then
log "🧾 触发提交: ${GIT_COMMIT:0:7}"
fi
# 拉取最新代码 # 拉取最新代码
log "📥 正在拉取最新代码..." log "📥 正在拉取最新代码..."
if ! git fetch origin; then if ! git fetch origin; then
error "git fetch 失败" error "git fetch 失败"
fi fi
if ! git reset --hard origin/master; then # 选择部署分支(优先使用 webhook 传入的 ref
DEPLOY_BRANCH=""
if [ "$GIT_REF" = "refs/heads/main" ]; then
DEPLOY_BRANCH="main"
elif [ "$GIT_REF" = "refs/heads/master" ]; then
DEPLOY_BRANCH="master"
fi
# 兜底:按远端分支存在性选择(兼容仓库从 master 切到 main
if [ -z "$DEPLOY_BRANCH" ]; then
if git show-ref --verify --quiet refs/remotes/origin/main; then
DEPLOY_BRANCH="main"
else
DEPLOY_BRANCH="master"
fi
fi
log "🌿 部署分支: $DEPLOY_BRANCH"
if ! git reset --hard "origin/$DEPLOY_BRANCH"; then
error "git reset 失败" error "git reset 失败"
fi fi

108
webhook/main.go
View File

@@ -6,13 +6,14 @@ import (
"crypto/sha256" "crypto/sha256"
"encoding/hex" "encoding/hex"
"encoding/json" "encoding/json"
"errors"
"io" "io"
"log" "log"
"net/http" "net/http"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"strings" "sync"
"time" "time"
) )
@@ -36,10 +37,19 @@ type Config struct {
Secret string Secret string
RepoPath string RepoPath string
ScriptPath string ScriptPath string
MaxBody int64
} }
var cfg Config var cfg Config
var deployMu sync.Mutex
var deployRunning bool
const (
defaultSecret = "your-webhook-secret"
maxBodyBytes = int64(1 << 20) // 1MB
)
func init() { func init() {
// 从环境变量读取配置 // 从环境变量读取配置
cfg.Port = os.Getenv("WEBHOOK_PORT") cfg.Port = os.Getenv("WEBHOOK_PORT")
@@ -49,7 +59,7 @@ func init() {
cfg.Secret = os.Getenv("WEBHOOK_SECRET") cfg.Secret = os.Getenv("WEBHOOK_SECRET")
if cfg.Secret == "" { if cfg.Secret == "" {
cfg.Secret = "your-webhook-secret" cfg.Secret = defaultSecret
} }
cfg.RepoPath = os.Getenv("REPO_PATH") cfg.RepoPath = os.Getenv("REPO_PATH")
@@ -58,18 +68,34 @@ func init() {
} }
cfg.ScriptPath = filepath.Join(cfg.RepoPath, "deploy.sh") cfg.ScriptPath = filepath.Join(cfg.RepoPath, "deploy.sh")
cfg.MaxBody = maxBodyBytes
} }
func main() { func main() {
log.SetFlags(log.LstdFlags | log.Lshortfile) log.SetFlags(log.LstdFlags | log.Lshortfile)
if cfg.Secret == "" || cfg.Secret == defaultSecret {
log.Fatalf("❌ WEBHOOK_SECRET 未配置或仍为默认值;请设置强随机 secret例如 openssl rand -hex 32")
}
log.Printf("🚀 Webhook 服务启动 | 监听端口: %s\n", cfg.Port) log.Printf("🚀 Webhook 服务启动 | 监听端口: %s\n", cfg.Port)
log.Printf("📁 仓库路径: %s\n", cfg.RepoPath) log.Printf("📁 仓库路径: %s\n", cfg.RepoPath)
log.Printf("📜 部署脚本: %s\n", cfg.ScriptPath) log.Printf("📜 部署脚本: %s\n", cfg.ScriptPath)
log.Printf("🔒 请求体大小限制: %d bytes\n", cfg.MaxBody)
http.HandleFunc("/webhook", handleWebhook) mux := http.NewServeMux()
http.HandleFunc("/health", handleHealth) mux.HandleFunc("/webhook", handleWebhook)
mux.HandleFunc("/health", handleHealth)
if err := http.ListenAndServe(":"+cfg.Port, nil); err != nil { srv := &http.Server{
Addr: ":" + cfg.Port,
Handler: mux,
ReadHeaderTimeout: 5 * time.Second,
ReadTimeout: 10 * time.Second,
WriteTimeout: 30 * time.Second,
IdleTimeout: 60 * time.Second,
}
if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
log.Fatalf("❌ 服务器启动失败: %v", err) log.Fatalf("❌ 服务器启动失败: %v", err)
} }
} }
@@ -91,6 +117,21 @@ func handleWebhook(w http.ResponseWriter, r *http.Request) {
return return
} }
// 单实例部署:避免并发执行 deploy.sh 引发互相踩踏
if !tryStartDeploy() {
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Retry-After", "30")
w.WriteHeader(http.StatusConflict)
json.NewEncoder(w).Encode(map[string]string{
"message": "部署进行中,请稍后再试",
})
return
}
defer finishDeploy()
// 限制请求体大小,防止大包占用内存
r.Body = http.MaxBytesReader(w, r.Body, cfg.MaxBody)
// 读取请求体 // 读取请求体
body, err := io.ReadAll(r.Body) body, err := io.ReadAll(r.Body)
if err != nil { if err != nil {
@@ -115,8 +156,8 @@ func handleWebhook(w http.ResponseWriter, r *http.Request) {
return return
} }
// 只处理 master 分支推送 // 只处理分支推送(严格匹配)
if !strings.Contains(payload.Ref, "master") && !strings.Contains(payload.Ref, "main") { if payload.Ref != "refs/heads/master" && payload.Ref != "refs/heads/main" {
log.Printf("⏭️ 忽略非主分支推送: %s", payload.Ref) log.Printf("⏭️ 忽略非主分支推送: %s", payload.Ref)
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{ json.NewEncoder(w).Encode(map[string]string{
@@ -135,8 +176,16 @@ func handleWebhook(w http.ResponseWriter, r *http.Request) {
} }
log.Printf(" 提交: %s", commitShort) log.Printf(" 提交: %s", commitShort)
// 异步执行部署 // 异步执行部署(释放 HTTP 线程)
go executeDeployment(payload) go func() {
defer func() {
// 避免 goroutine panic 导致“卡住 running 状态”
if r := recover(); r != nil {
log.Printf("❌ 部署流程 panic: %v", r)
}
}()
executeDeployment(payload)
}()
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusAccepted) w.WriteHeader(http.StatusAccepted)
@@ -148,16 +197,14 @@ func handleWebhook(w http.ResponseWriter, r *http.Request) {
// verifySignature 验证 Gitea webhook 签名 // verifySignature 验证 Gitea webhook 签名
func verifySignature(signature string, body []byte) bool { func verifySignature(signature string, body []byte) bool {
if cfg.Secret == "your-webhook-secret" { if signature == "" {
log.Println("⚠️ 警告: 使用默认 secret建议设置 WEBHOOK_SECRET 环境变量") return false
return true
} }
hash := hmac.New(sha256.New, []byte(cfg.Secret)) hash := hmac.New(sha256.New, []byte(cfg.Secret))
hash.Write(body) hash.Write(body)
expected := "sha256=" + hex.EncodeToString(hash.Sum(nil)) expected := []byte("sha256=" + hex.EncodeToString(hash.Sum(nil)))
return hmac.Equal([]byte(signature), expected)
return signature == expected
} }
// executeDeployment 执行部署 // executeDeployment 执行部署
@@ -172,9 +219,13 @@ func executeDeployment(payload GiteaPayload) {
return return
} }
// 执行部署脚本 // 执行部署脚本(把 ref/commit 传给脚本,便于按分支部署与日志记录)
cmd := exec.Command("bash", cfg.ScriptPath) cmd := exec.Command("bash", cfg.ScriptPath)
cmd.Dir = cfg.RepoPath cmd.Dir = cfg.RepoPath
cmd.Env = append(os.Environ(),
"GIT_REF="+payload.Ref,
"GIT_COMMIT="+payload.Commit,
)
var stdout, stderr bytes.Buffer var stdout, stderr bytes.Buffer
cmd.Stdout = &stdout cmd.Stdout = &stdout
@@ -184,6 +235,9 @@ func executeDeployment(payload GiteaPayload) {
if err := cmd.Run(); err != nil { if err := cmd.Run(); err != nil {
log.Printf("❌ 部署脚本执行失败: %v", err) log.Printf("❌ 部署脚本执行失败: %v", err)
if stdout.Len() > 0 {
log.Printf("输出:\n%s", stdout.String())
}
if stderr.Len() > 0 { if stderr.Len() > 0 {
log.Printf("错误输出:\n%s", stderr.String()) log.Printf("错误输出:\n%s", stderr.String())
} }
@@ -201,8 +255,28 @@ func executeDeployment(payload GiteaPayload) {
log.Printf("📝 部署日志:\n") log.Printf("📝 部署日志:\n")
log.Printf(" 仓库: %s", payload.Repository.FullName) log.Printf(" 仓库: %s", payload.Repository.FullName)
log.Printf(" 提交: %s", payload.Commit[:7]) commitShort := payload.Commit
if len(commitShort) > 7 {
commitShort = commitShort[:7]
}
log.Printf(" 提交: %s", commitShort)
log.Printf(" 分支: %s", payload.Ref) log.Printf(" 分支: %s", payload.Ref)
log.Printf(" 推送者: %s", payload.Pusher.Username) log.Printf(" 推送者: %s", payload.Pusher.Username)
log.Printf(" 时间: %s", time.Now().Format(time.RFC3339)) log.Printf(" 时间: %s", time.Now().Format(time.RFC3339))
} }
func tryStartDeploy() bool {
deployMu.Lock()
defer deployMu.Unlock()
if deployRunning {
return false
}
deployRunning = true
return true
}
func finishDeploy() {
deployMu.Lock()
deployRunning = false
deployMu.Unlock()
}