• Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • github-plugin

      When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.

      • Github (Secret="123") --> Jenkins (Secret="123") 
      • Github (Secret="wrong") --> Jenkins (Secret="123") 
      • Github (Secret="") --> Jenkins (Secret="123")   This should not be "200 OK"

      The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page but not in Jenkins. I expected Jenkins to reject the request.

          [JENKINS-48762] Unsigned Webhooks are always accepted

          There are no comments yet on this issue.

            lanwen Kirill Merkushev
            nullentity Dominique Mattern
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: