Protect against hostile webhook invocations

sipb · Jan 29, 2020 · a23ad2e · a23ad2e
1 parent b65745b
commit a23ad2e
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/zcommit.py b/zcommit.py
@@ -92,6 +92,8 @@ def format_commit(c, commit_url):
 """ % info
 
     try:
+        if not commit_url.startswith('https://api.github.com/'):
+            raise ValueError('refusing to fetch commit information from '+commit_url)
         # Check if the diff is small enough
         r = requests.get(commit_url, headers={'Accept': 'application/vnd.github.diff'})
         diff = r.text