Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48762

Unsigned Webhooks are always accepted

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Duplicate
    • github-plugin

    Description

      When using a Shared Secret, Jenkins will accept webhook requests, which are not signed at all.

      • Github (Secret="123") --> Jenkins (Secret="123") 
      • Github (Secret="wrong") --> Jenkins (Secret="123") 
      • Github (Secret="") --> Jenkins (Secret="123")   This should not be "200 OK"

      The last example shows what happens when you omit the Shared Secret on the Github Webhook Configuration page but not in Jenkins. I expected Jenkins to reject the request.

      Attachments

        Issue Links

          Activity

            People

              lanwen Kirill Merkushev
              nullentity Dominique Mattern
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: