Status: Resolved (View Workflow)
Jenkins 2.89.2 (running directly, installed via apt from the official Jenkins repository)
Blue Ocean 1.3.5
Github Plugin 1.28.1
OS: Debian Stretch (64-bit)
Java: OpenJDK 1.8
OS: Windows 10 (64-bit, Version 1709)
Browser: Google Chrome 63
When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
- Github (Secret="123") --> Jenkins (Secret="123")
- Github (Secret="wrong") --> Jenkins (Secret="123")
- Github (Secret="") --> Jenkins (Secret="123") This should not be "200 OK"
The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page but not in Jenkins. I expected Jenkins to reject the request.
JENKINS-48012 Webhook signature checking is skipped if incoming webhook has no signature