From 9cb9f8a4f6b7f51eae05abf47dc04943fbc14e8c Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Sun, 7 Mar 2021 14:47:27 +0000
Subject: [PATCH] Hotfix: Prevent webhooks from running on non-master/main
 branches

---
 app/blueprints/github/__init__.py      | 4 ++++
 app/blueprints/gitlab/__init__.py      | 8 +++++++-
 app/flatpages/help/release_webhooks.md | 4 ++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/blueprints/github/__init__.py b/app/blueprints/github/__init__.py
index 4674170..f5962b6 100644
--- a/app/blueprints/github/__init__.py
+++ b/app/blueprints/github/__init__.py
@@ -134,6 +134,10 @@ def webhook():
 	if event == "push":
 		ref = json["after"]
 		title = json["head_commit"]["message"].partition("\n")[0]
+		branch = json["ref"].replace("refs/heads/", "")
+		if branch not in [ "master", "main" ]:
+			return jsonify({ "success": False, "message": "Webhook ignored, as it's not on the master/main branch" })
+
 	elif event == "create" and json["ref_type"] == "tag":
 		ref = json["ref"]
 		title = ref
diff --git a/app/blueprints/gitlab/__init__.py b/app/blueprints/gitlab/__init__.py
index 990aee6..a0babc6 100644
--- a/app/blueprints/gitlab/__init__.py
+++ b/app/blueprints/gitlab/__init__.py
@@ -14,7 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-from flask import Blueprint, request
+from flask import Blueprint, request, jsonify
 
 bp = Blueprint("gitlab", __name__)
 
@@ -53,6 +53,12 @@ def webhook_impl():
 	if event == "push":
 		ref = json["after"]
 		title = ref[:5]
+
+		branch = json["ref"].replace("refs/heads/", "")
+		if branch not in ["master", "main"]:
+			return jsonify({"success": False,
+				"message": "Webhook ignored, as it's not on the master/main branch"})
+
 	elif event == "tag_push":
 		ref = json["ref"]
 		title = ref.replace("refs/tags/", "")
diff --git a/app/flatpages/help/release_webhooks.md b/app/flatpages/help/release_webhooks.md
index 467064f..c5dc1fd 100644
--- a/app/flatpages/help/release_webhooks.md
+++ b/app/flatpages/help/release_webhooks.md
@@ -21,8 +21,8 @@ The process is as follows:
 4. ContentDB checks the API token and issues a new release.
 
 <p class="alert alert-warning">
-    "New commit" or "push" based webhooks are currently broken as they don't check the branch name.
-    This means that releases will be created for pushes to non-default branches.
+    "New commit" or "push" based webhooks will currently only work on branches named `master` or
+    `main`.
 </p>
 
 ## Setting up