Skip to content

[JENKINS-33974] Payload verification using shared secrets#134

Merged
lanwen merged 2 commits intojenkinsci:masterfrom
lanwen:hook_secrets
Aug 12, 2016
Merged

[JENKINS-33974] Payload verification using shared secrets#134
lanwen merged 2 commits intojenkinsci:masterfrom
lanwen:hook_secrets

Conversation

@lanwen
Copy link
Member

@lanwen lanwen commented Aug 11, 2016
edited
Loading

Closes #129

This change is Reviewable

@codecov-io
Copy link

codecov-io commented Aug 11, 2016
edited
Loading

Current coverage is 75.07% (diff: 86.74%)

Merging #134 into master will increase coverage by 0.46%

@@             master       #134   diff @@
==========================================
  Files            62         64     +2   
  Lines          1339       1412    +73   
  Methods           0          0          
  Messages          0          0          
  Branches        141        146     +5   
==========================================
+ Hits            999       1060    +61   
- Misses          296        307    +11   
- Partials         44         45     +1

Powered by Codecov. Last update 5c8af54...70117b9

@lanwen lanwen force-pushed the hook_secrets branch 5 times, most recently from 452f399 to b1dae00 Compare August 12, 2016 12:42
@lanwen
Use OOP power to calculate sign, add integration test
70117b9 
also don't bother signature validation if no header from github with signature
@lanwen lanwen changed the title [WiP][JENKINS-33974] Payload verification using shared secrets [JENKINS-33974] Payload verification using shared secrets Aug 12, 2016
@lanwen lanwen merged commit 0f90fe7 into jenkinsci:master Aug 12, 2016
@lanwen lanwen deleted the hook_secrets branch August 12, 2016 19:39
@MartinNowak
Copy link

MartinNowak commented Mar 4, 2017
edited
Loading

This seems to fail for some form encoded payloads, like the one attached below @lanwen.
payload.encoded.txt
payload.json.txt

Running URLEncode(URLDecode(payload)) does not return the same result, apparently b/c ~ is encoded to %7E by Java but not by GH.

@MartinNowak MartinNowak mentioned this pull request Mar 4, 2017
Closed
@lanwen
Copy link
Member Author

lanwen commented Mar 5, 2017

@MartinNowak can you write a test to reproduce? (And may be a full fix?:)

@MartinNowak
Copy link

MartinNowak commented Mar 14, 2017

No, too much time already spent on figuring this out, and I'm neither familiar with nor keen to dig further into this mass of Java code/plugins.
The obvious fix is to checksum the original request body instead of trying to recreate it from the decoded form.

There isn't much wrong with recommending application/json as workaround, though GH uses application/x-www-form-urlencoded by default which applies to the hooks installed by github-organization (or github-branch-source or github-api or whatever).

@lanwen
Copy link
Member Author

lanwen commented Mar 14, 2017

Ok, thanks in any case, will try to do something

@nh2
Copy link

nh2 commented Nov 4, 2017

I'm also still seeing Provided signature [aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa] did not match to calculated for specific branch names, when using application/x-www-form-urlencoded.

I suspect in my case it's because the branch name contains a .

@daniel-beck daniel-beck mentioned this pull request Jan 12, 2018
Merged
@jglick jglick mentioned this pull request Apr 29, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lanwen @codecov-io @MartinNowak @nh2 @martinmine