Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48012

Webhook signature checking is skipped if incoming webhook has no signature

XMLWordPrintable

      Looking at this code https://github.com/jenkinsci/github-plugin/blob/68ceb5960549c6a5ce55c5288c7eaabbbb3719a2/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L145

      This means that if a secret is configured but the webhook doesn't have a signature, the request is allowed. I would expect that is a secret is configured, any webhook without a signature should be rejected, i.e.:

      if(Optional.fromNullable(secret).isPresent()) {
        if(signHeader.isPresent()) {
          // Do the existing check
         } else {
          // fail the hook
        }
      }
      

        1. github.jpg
          593 kB
          Nathan Vahrenberg
        2. jenkins.jpg
          38 kB
          Nathan Vahrenberg

            lanwen Kirill Merkushev
            coderanger Noah Kantrowitz
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: