From 86205609f1ee6959ec6936ca73d863c455cebdca Mon Sep 17 00:00:00 2001
From: Lorenz Steinert <lorenz@steinerts.de>
Date: Fri, 30 Aug 2019 09:42:56 +0200
Subject: [PATCH] check the headers and query parameters

check for the folling headers:
* `X-Gitlab-Token``
* `Content-Type`

check for the following query parameterts:
* `room`
---
 gitlab/__init__.py | 41 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/gitlab/__init__.py b/gitlab/__init__.py
index bdc4705..0f16aec 100644
--- a/gitlab/__init__.py
+++ b/gitlab/__init__.py
@@ -22,17 +22,50 @@ class Gitlab(Plugin):
     routes = web.RouteTableDef()
 
     async def process_hook(self, request: web.Request) -> None:
+        if not request.has_body():
+            await self.client.send_text(request.query['room'],
+                                        "Webhook doesn't have a Body.")
         self.log.debug(str(request))
         self.log.debug(str(request.query['room']))
         await self.client.send_text(request.query['room'], str(request))
 
     async def post_handler(self, request: web.Request) -> web.Response:
-        if not request.headers['X-Gitlab-Token'] == self.config['secret']:
-            return web.Response(status=403)
-
+        # check the authorisation of the request
+        if 'X-Gitlab-Token' not in request.headers \
+                or not request.headers['X-Gitlab-Token'] == self.config['secret']:
+            resp_text = '403 FORBIDDEN'
+            return web.Response(text=resp_text,
+                                status=403
+                                )
+
+        # check if a roomid was specified
+        if 'room' not in request.query:
+            resp_text = 'No room specified. ' \
+                        'Use example.com' + self.config['path'] + \
+                        '?room=!<roomid>.'
+            return web.Response(text=resp_text,
+                                status=400
+                                )
+
+        # check if the bot is in the specified room
+        # TODO: make joined_rooms a clas property which is updated on startup and room join/leave
+        joined_rooms = await self.client.get_joined_rooms()
+        if request.query['room'] not in joined_rooms:
+            resp_text = 'The Bot is not in the room.'
+            return web.Response(text=resp_text,
+                                status=403
+                                )
+
+        # check if we can read the content of the request
+        if 'Content-Type' not in request.headers \
+                or not request.headers['Content-Type'] == 'application/json':
+            self.log.debug(request.headers['Content-Type'])
+            return web.Response(status=406,
+                                headers={'Content-Type': 'application/json'}
+                                )
         self.task_list.append(asyncio.create_task(self.process_hook(request)))
 
-        return web.Response()
+        return web.Response(status=202)
 
     async def start(self) -> None:
         self.config.load_and_update()
-- 
GitLab