Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48012

Webhook signature checking is skipped if incoming webhook has no signature

    XMLWordPrintable

Details

    Description

      Looking at this code https://github.com/jenkinsci/github-plugin/blob/68ceb5960549c6a5ce55c5288c7eaabbbb3719a2/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L145

      This means that if a secret is configured but the webhook doesn't have a signature, the request is allowed. I would expect that is a secret is configured, any webhook without a signature should be rejected, i.e.:

      if(Optional.fromNullable(secret).isPresent()) {
  if(signHeader.isPresent()) {
    // Do the existing check
   } else {
    // fail the hook
  }
}

      Attachments

        1. github.jpg
          github.jpg
          593 kB
        2. jenkins.jpg
          jenkins.jpg
          38 kB

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-48762 Unsigned Webhooks are always accepted

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link github-plugin #188

          Activity

            People

              lanwen Kirill Merkushev
              coderanger Noah Kantrowitz
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: