Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
Description
Looking at this code https://github.com/jenkinsci/github-plugin/blob/68ceb5960549c6a5ce55c5288c7eaabbbb3719a2/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L145
This means that if a secret is configured but the webhook doesn't have a signature, the request is allowed. I would expect that is a secret is configured, any webhook without a signature should be rejected, i.e.:
if(Optional.fromNullable(secret).isPresent()) { if(signHeader.isPresent()) { // Do the existing check } else { // fail the hook } }
Attachments
Issue Links
- is duplicated by
-
-
- Resolved
-
- links to
Activity
Noah Kantrowitz
created issue -
Matthias Silbernagl
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Link |
This issue is duplicated by |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | In Review [ 10005 ] |
Nathan Vahrenberg
made changes -
| Attachment | jenkins.jpg [ 41176 ] |
Nathan Vahrenberg
made changes -
| Attachment | github.jpg [ 41177 ] |
| Labels | security |
| Remote Link | This issue links to "github-plugin #188 (Web Link)" [ 24885 ] |
| Released As | https://github.com/jenkinsci/github-plugin/releases/tag/v1.29.0 | |
| Resolution | Fixed [ 1 ] | |
| Status | In Review [ 10005 ] | Resolved [ 5 ] |