Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48012

Webhook signature checking is skipped if incoming webhook has no signature

    XMLWordPrintable

Details

    Description

      Looking at this code https://github.com/jenkinsci/github-plugin/blob/68ceb5960549c6a5ce55c5288c7eaabbbb3719a2/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L145

      This means that if a secret is configured but the webhook doesn't have a signature, the request is allowed. I would expect that is a secret is configured, any webhook without a signature should be rejected, i.e.:

      if(Optional.fromNullable(secret).isPresent()) {
        if(signHeader.isPresent()) {
          // Do the existing check
         } else {
          // fail the hook
        }
      }
      

      Attachments

        1. github.jpg
          github.jpg
          593 kB
        2. jenkins.jpg
          jenkins.jpg
          38 kB

        Issue Links

          Activity

            coderanger Noah Kantrowitz created issue -
            silbernm Matthias Silbernagl made changes -
            Field Original Value New Value
            Link This issue is duplicated by JENKINS-48762 [ JENKINS-48762 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            nv035674 Nathan Vahrenberg made changes -
            Attachment jenkins.jpg [ 41176 ]
            nv035674 Nathan Vahrenberg made changes -
            Attachment github.jpg [ 41177 ]
            jglick Jesse Glick made changes -
            Labels security
            jglick Jesse Glick made changes -
            Remote Link This issue links to "github-plugin #188 (Web Link)" [ 24885 ]
            jglick Jesse Glick made changes -
            Released As https://github.com/jenkinsci/github-plugin/releases/tag/v1.29.0
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]

            People

              lanwen Kirill Merkushev
              coderanger Noah Kantrowitz
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: