From 188c66c43485e576c69874a7787ec873bf41673e Mon Sep 17 00:00:00 2001 From: Catherine Date: Thu, 9 Oct 2025 14:52:58 +0000 Subject: [PATCH] Use an ad-hoc type to deserialize JSON webhook payload. This is both better structured, and avoids crashes on invalid payloads that would occur before this commit due to a lack of checking for nil in the maps. --- src/pages.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/pages.go b/src/pages.go index a83cbff..2b860b3 100644 --- a/src/pages.go +++ b/src/pages.go @@ -433,15 +433,19 @@ func postPage(w http.ResponseWriter, r *http.Request) error { return fmt.Errorf("body read: %w", err) } - var event map[string]any + var event struct { + Ref string `json:"ref"` + Repository struct { + CloneURL string `json:"clone_url"` + } `json:"repository"` + } err = json.NewDecoder(bytes.NewReader(requestBody)).Decode(&event) if err != nil { http.Error(w, fmt.Sprintf("invalid request body: %s", err), http.StatusBadRequest) return err } - eventRef := event["ref"].(string) - if eventRef != fmt.Sprintf("refs/heads/%s", auth.branch) { + if event.Ref != fmt.Sprintf("refs/heads/%s", auth.branch) { code := http.StatusUnauthorized if strings.Contains(r.Header.Get("User-Agent"), "GitHub-Hookshot") { // GitHub has no way to restrict branches for a webhook, and responding with 401 @@ -449,13 +453,12 @@ func postPage(w http.ResponseWriter, r *http.Request) error { code = http.StatusOK } http.Error(w, - fmt.Sprintf("ref %s not in allowlist [refs/heads/%v]", - eventRef, auth.branch), + fmt.Sprintf("ref %s not in allowlist [refs/heads/%v]", event.Ref, auth.branch), code) return nil } - repoURL := event["repository"].(map[string]any)["clone_url"].(string) + repoURL := event.Repository.CloneURL if err := AuthorizeRepository(repoURL, auth); err != nil { return err }