Nullify-Platform · jonathanlam · Jan 20, 2025 · Jul 30, 2024 · Jul 30, 2024 · Jul 30, 2024
diff --git a/azuredevops/azuredevops.go b/azuredevops/azuredevops.go
@@ -13,8 +13,9 @@ import (
 
 // parse errors
 var (
-	ErrInvalidHTTPMethod = errors.New("invalid HTTP Method")
-	ErrParsingPayload    = errors.New("error parsing payload")
+	ErrInvalidHTTPMethod           = errors.New("invalid HTTP Method")
+	ErrParsingPayload              = errors.New("error parsing payload")
+	ErrBasicAuthVerificationFailed = errors.New("basic auth verification failed")
 )
 
 // Event defines an Azure DevOps server hook event type
@@ -30,13 +31,38 @@ const (
 	GitPullRequestCommentEventType Event = "ms.vss-code.git-pullrequest-comment-event"
 )
 
+// Option is a configuration option for the webhook
+type Option func(*Webhook) error
+
+// Options is a namespace var for configuration options
+var Options = WebhookOptions{}
+
+// WebhookOptions is a namespace for configuration option methods
+type WebhookOptions struct{}
+
+// BasicAuth verifies payload using basic auth
+func (WebhookOptions) BasicAuth(username, password string) Option {
+	return func(hook *Webhook) error {
+		hook.username = username
+		hook.password = password
+		return nil
+	}
+}
+
 // Webhook instance contains all methods needed to process events
 type Webhook struct {
+	username string
+	password string
 }
 
 // New creates and returns a WebHook instance
-func New() (*Webhook, error) {
+func New(options ...Option) (*Webhook, error) {
 	hook := new(Webhook)
+	for _, opt := range options {
+		if err := opt(hook); err != nil {
+			return nil, errors.New("Error applying Option")
+		}
+	}
 	return hook, nil
 }
 
@@ -47,6 +73,10 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 		_ = r.Body.Close()
 	}()
 
+	if !hook.verifyBasicAuth(r) {
+		return nil, ErrBasicAuthVerificationFailed
+	}
+
 	if r.Method != http.MethodPost {
 		return nil, ErrInvalidHTTPMethod
 	}
@@ -83,3 +113,13 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 		return nil, fmt.Errorf("unknown event %s", pl.EventType)
 	}
 }
+
+func (hook Webhook) verifyBasicAuth(r *http.Request) bool {
+	// skip validation if username or password was not provided
+	if hook.username == "" && hook.password == "" {
+		return true
+	}
+	username, password, ok := r.BasicAuth()
+
+	return ok && username == hook.username && password == hook.password
+}
diff --git a/azuredevops/azuredevops_test.go b/azuredevops/azuredevops_test.go
@@ -1,6 +1,9 @@
 package azuredevops
 
 import (
+	"bytes"
+	"fmt"
+	"github.com/stretchr/testify/assert"
 	"log"
 	"net/http"
 	"net/http/httptest"
@@ -117,3 +120,66 @@ func TestWebhooks(t *testing.T) {
 		})
 	}
 }
+
+func TestParseBasicAuth(t *testing.T) {
+	const validUser = "validUser"
+	const validPass = "pass123"
+	tests := []struct {
+		name        string
+		webhookUser string
+		webhookPass string
+		reqUser     string
+		reqPass     string
+		expectedErr error
+	}{
+		{
+			name:        "valid basic auth",
+			webhookUser: validUser,
+			webhookPass: validPass,
+			reqUser:     validUser,
+			reqPass:     validPass,
+			expectedErr: fmt.Errorf("unknown event "), // no event passed, so this is expected
+		},
+		{
+			name:        "no basic auth provided",
+			expectedErr: fmt.Errorf("unknown event "), // no event passed, so this is expected
+		},
+		{
+			name:        "invalid basic auth",
+			webhookUser: validUser,
+			webhookPass: validPass,
+			reqUser:     "fakeUser",
+			reqPass:     "fakePass",
+			expectedErr: ErrBasicAuthVerificationFailed,
+		},
+	}
+
+	for _, tt := range tests {
+		h := Webhook{
+			username: tt.webhookUser,
+			password: tt.webhookPass,
+		}
+		body := []byte(`{}`)
+		r, err := http.NewRequest(http.MethodPost, "", bytes.NewBuffer(body))
+		assert.NoError(t, err)
+		r.SetBasicAuth(tt.reqUser, tt.reqPass)
+
+		p, err := h.Parse(r)
+
+		assert.Equal(t, err, tt.expectedErr)
+		assert.Nil(t, p)
+	}
+}
+
+func TestBasicAuth(t *testing.T) {
+	const user = "user"
+	const pass = "pass123"
+
+	opt := Options.BasicAuth(user, pass)
+	h := &Webhook{}
+	err := opt(h)
+
+	assert.NoError(t, err)
+	assert.Equal(t, h.username, user)
+	assert.Equal(t, h.password, pass)
+}
diff --git a/github/github.go b/github/github.go
@@ -74,6 +74,7 @@ const (
 	WorkflowJobEvent                         Event = "workflow_job"
 	WorkflowRunEvent                         Event = "workflow_run"
 	GitHubAppAuthorizationEvent              Event = "github_app_authorization"
+	CodeScanningAlertEvent                   Event = "code_scanning_alert"
 )
 
 // EventSubtype defines a GitHub Hook Event subtype
@@ -353,6 +354,10 @@ func (hook Webhook) Parse(r *http.Request, events ...Event) (interface{}, error)
 		var pl GitHubAppAuthorizationPayload
 		err = json.Unmarshal([]byte(payload), &pl)
 		return pl, err
+	case CodeScanningAlertEvent:
+		var pl CodeScanningAlertPayload
+		err = json.Unmarshal([]byte(payload), &pl)
+		return pl, err
 	default:
 		return nil, fmt.Errorf("unknown event %s", gitHubEvent)
 	}

diff --git a/github/github_test.go b/github/github_test.go
@@ -555,6 +555,15 @@ func TestWebhooks(t *testing.T) {
 				"X-Github-Event": []string{"github_app_authorization"},
 			},
 		},
+		{
+			name:     "CodeScanningAlertEvent",
+			event:    CodeScanningAlertEvent,
+			typ:      CodeScanningAlertPayload{},
+			filename: "../testdata/github/code_scanning_alert.json",
+			headers: http.Header{
+				"X-Github-Event": []string{"code_scanning_alert"},
+			},
+		},
 	}
 
 	for _, tt := range tests {