Github Webhooks not passing HMAC secret validation for certain commit messages

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Major
    • Component/s: github-plugin
    • None
    • Environment:
      GitHub Enterprise with webhooks enabled for pushes
      Jenkins with GitHub plug-in 1.34.3
      Secret enabled

      GitHub hooks for certain payloads don't pass secret validation in GitHub plug-in.

      The easiest way to reproduce it at our side is to include a character tilda '~' or asterisk '*' into the commit message.

       

      One possible theory why this happens: GitHub doesn't execute URL Encoding of commit message content and calculates the HMAC based on the payload without encoding, while Jenkins GitHub plug-in executes URL-Encoding of the whole payload 

      https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L176

       

      (NOTE: this theory may be wrong since it's questionable how it can affect the asterisk character).

            Assignee:
            Kirill Merkushev
            Reporter:
            Leonid Rozenblyum
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: