Loading...

This issue is archived. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: github-plugin
Labels:
- issue-exported-to-github
- security

Released As:
https://github.com/jenkinsci/github-plugin/releases/tag/v1.29.0

Looking at this code https://github.com/jenkinsci/github-plugin/blob/68ceb5960549c6a5ce55c5288c7eaabbbb3719a2/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L145

This means that if a secret is configured but the webhook doesn't have a signature, the request is allowed. I would expect that is a secret is configured, any webhook without a signature should be rejected, i.e.:

if(Optional.fromNullable(secret).isPresent()) {
  if(signHeader.isPresent()) {
    // Do the existing check
   } else {
    // fail the hook
  }
}

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

github.jpg
2018-01-19 14:29
593 kB
Nathan Vahrenberg
jenkins.jpg
2018-01-19 14:28
38 kB
Nathan Vahrenberg

is duplicated by

JENKINS-48762 Unsigned Webhooks are always accepted

Resolved

links to

github-plugin #188

Assignee:: Kirill Merkushev
Reporter:: Noah Kantrowitz

Created:: 2017-11-14 19:50
Updated:: 2025-12-09 07:17
Resolved:: 2020-04-29 15:39
Archived:: 2025-12-09 07:17

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates