From b5552a216de58109b286378907b4978d9db9ac1d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <andras.bacsai@gmail.com>
Date: Tue, 14 May 2024 11:55:20 +0200
Subject: [PATCH] fix: only allow push and mr gitlab events

---
 app/Http/Controllers/Webhook/Gitlab.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/app/Http/Controllers/Webhook/Gitlab.php b/app/Http/Controllers/Webhook/Gitlab.php
index 65ce9910b..763f95bbc 100644
--- a/app/Http/Controllers/Webhook/Gitlab.php
+++ b/app/Http/Controllers/Webhook/Gitlab.php
@@ -38,6 +38,15 @@ class Gitlab extends Controller
             $headers = $request->headers->all();
             $x_gitlab_token = data_get($headers, 'x-gitlab-token.0');
             $x_gitlab_event = data_get($payload, 'object_kind');
+            $allowed_events = ['push', 'merge_request'];
+            if (!in_array($x_gitlab_event, $allowed_events)) {
+                $return_payloads->push([
+                    'status' => 'failed',
+                    'message' => 'Event not allowed. Only push and merge_request events are allowed.',
+                ]);
+                return response($return_payloads);
+            }
+
             if ($x_gitlab_event === 'push') {
                 $branch = data_get($payload, 'ref');
                 $full_name = data_get($payload, 'project.path_with_namespace');