Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48762

Unsigned Webhooks are always accepted

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Duplicate
    • github-plugin

    Description

      When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.

      • Github (Secret="123") --> Jenkins (Secret="123") 
      • Github (Secret="wrong") --> Jenkins (Secret="123") 
      • Github (Secret="") --> Jenkins (Secret="123")   This should not be "200 OK"

      The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page but not in Jenkins. I expected Jenkins to reject the request.

      Attachments

        Issue Links

          Activity

            nullentity Dominique Mattern created issue -
            nullentity Dominique Mattern made changes -
            Field Original Value New Value
            Description When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
             * Github (Secret="123") --> Jenkins (Secret="123") (/)
             * Github (Secret="wrong") --> Jenkins (Secret="123") (x)
             * Github (Secret="") --> Jenkins (Secret="123") (/) <-- *This should not be 200 OK*

            The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.
            When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
             * Github (Secret="123") --> Jenkins (Secret="123") (/)
             * Github (Secret="wrong") --> Jenkins (Secret="123") (x)
             * Github (Secret="") --> Jenkins (Secret="123") (/)  *This should not be 200 OK*

            The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.
            nullentity Dominique Mattern made changes -
            Description When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
             * Github (Secret="123") --> Jenkins (Secret="123") (/)
             * Github (Secret="wrong") --> Jenkins (Secret="123") (x)
             * Github (Secret="") --> Jenkins (Secret="123") (/)  *This should not be 200 OK*

            The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.
            When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.
             * Github (Secret="123") --> Jenkins (Secret="123") (/)
             * Github (Secret="wrong") --> Jenkins (Secret="123") (x)
             * Github (Secret="") --> Jenkins (Secret="123") (/)  *This should not be "200 OK"*

            The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page *but not in Jenkins*. I expected Jenkins to reject the request.
            silbernm Matthias Silbernagl made changes -
            Link This issue duplicates JENKINS-48012 [ JENKINS-48012 ]
            jglick Jesse Glick made changes -
            Resolution Duplicate [ 3 ]
            Status Open [ 1 ] Resolved [ 5 ]

            People

              lanwen Kirill Merkushev
              nullentity Dominique Mattern
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: