Loading...

XML

Word

Printable

Type: Bug
Resolution: Duplicate
Priority: Major
Component/s: github-plugin
Labels:
- github
- webhook
Environment:

Hide
Jenkins 2.89.2 (running directly, installed via apt from the official Jenkins repository)
Blue Ocean 1.3.5
Github Plugin 1.28.1

Server:
OS: Debian Stretch (64-bit)
Java: OpenJDK 1.8

Client:
OS: Windows 10 (64-bit, Version 1709)
Browser: Google Chrome 63

Show
Jenkins 2.89.2 (running directly, installed via apt from the official Jenkins repository) Blue Ocean 1.3.5 Github Plugin 1.28.1 Server: OS: Debian Stretch (64-bit) Java: OpenJDK 1.8 Client: OS: Windows 10 (64-bit, Version 1709) Browser: Google Chrome 63

When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.

Github (Secret="123") --> Jenkins (Secret="123")
Github (Secret="wrong") --> Jenkins (Secret="123")
Github (Secret="") --> Jenkins (Secret="123") This should not be "200 OK"

The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page but not in Jenkins. I expected Jenkins to reject the request.

duplicates

JENKINS-48012 Webhook signature checking is skipped if incoming webhook has no signature

Resolved

Assignee:: Kirill Merkushev
Reporter:: Dominique Mattern
Votes:: 1 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: 2018-01-02 21:08
Updated:: 2020-04-29 15:40
Resolved:: 2020-04-29 15:40

Details

Description

Attachments

Issue Links

Activity

People

Dates