[JENKINS-48762] Unsigned Webhooks are always accepted

Type: Bug
Resolution: Duplicate
Priority: Major
Component/s: github-plugin
Labels:
- github
- webhook
Environment:

Hide
Jenkins 2.89.2 (running directly, installed via apt from the official Jenkins repository)
Blue Ocean 1.3.5
Github Plugin 1.28.1

Server:
OS: Debian Stretch (64-bit)
Java: OpenJDK 1.8

Client:
OS: Windows 10 (64-bit, Version 1709)
Browser: Google Chrome 63

Show
Jenkins 2.89.2 (running directly, installed via apt from the official Jenkins repository) Blue Ocean 1.3.5 Github Plugin 1.28.1 Server: OS: Debian Stretch (64-bit) Java: OpenJDK 1.8 Client: OS: Windows 10 (64-bit, Version 1709) Browser: Google Chrome 63

Similar Issues:
Powered by SuggestiMate

Show

When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.

Github (Secret="123") --> Jenkins (Secret="123")
Github (Secret="wrong") --> Jenkins (Secret="123")
Github (Secret="") --> Jenkins (Secret="123") This should not be "200 OK"

The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page but not in Jenkins. I expected Jenkins to reject the request.

duplicates

JENKINS-48012 Webhook signature checking is skipped if incoming webhook has no signature

Resolved

Dominique Mattern created issue - 2018-01-02 21:08

Dominique Mattern made changes - 2018-01-02 21:08

Description

Original: When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
* Github (Secret="123") --> Jenkins (Secret="123") (/)
* Github (Secret="wrong") --> Jenkins (Secret="123") (x)
* Github (Secret="") --> Jenkins (Secret="123") (/) <-- *This should not be 200 OK*

The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.

New: When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
* Github (Secret="123") --> Jenkins (Secret="123") (/)
* Github (Secret="wrong") --> Jenkins (Secret="123") (x)
* Github (Secret="") --> Jenkins (Secret="123") (/) *This should not be 200 OK*

The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.

Dominique Mattern made changes - 2018-01-02 21:12

Description

Original: When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
* Github (Secret="123") --> Jenkins (Secret="123") (/)
* Github (Secret="wrong") --> Jenkins (Secret="123") (x)
* Github (Secret="") --> Jenkins (Secret="123") (/) *This should not be 200 OK*

The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.

New: When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
* Github (Secret="123") --> Jenkins (Secret="123") (/)
* Github (Secret="wrong") --> Jenkins (Secret="123") (x)
* Github (Secret="") --> Jenkins (Secret="123") (/) *This should not be "200 OK"*

The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.

Matthias Silbernagl made changes - 2018-01-09 20:54

Link

New: This issue duplicates ~~JENKINS-48012~~ [ ~~JENKINS-48012~~ ]

Jesse Glick made changes - 2020-04-29 15:40

Resolution		New: Duplicate [ 3 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

Assignee:: Kirill Merkushev

Reporter:: Dominique Mattern

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2018-01-02 21:08

Updated:: 2020-04-29 15:40

Resolved:: 2020-04-29 15:40

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates