Deprecate and remove shared secret from webhook payloads #11755
Comments
|
A note on the webhook documentation: that's already quite outdated (missing fields, headers, etc.) and very incomplete. I'm working on a full rewrite (cf. #9485), but I currently don't know when that will be finished. Until then, I'd suggest simply adding a deprecation warning above the push example with a reference to the |
|
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions. |
|
Yes, this is still valid. |
|
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions. |
zeripath
added
topic/security
|
AFAICS this is still present but it needs a security tag. I don't understand completely why this was ever put there, and therefore I don't know why it hasn't been removed - but clearly it needs to be dealt with. Now this is too late for 1.13 but I think we can just deprecate the secret from 1.13 so that it will be gone from 1.14 and anyone requiring it just has to do something about it. |
|
@zeripath shouldn't this be moved to |
|
Shouldn't this be on the 1.13.0 milestone until the deprecation warnings are in? Just trying to make sure this isn't delayed by another version due to this. |
|
@JustAnotherArchivist we will mention in 1.13.0 blog post |
|
I see. I feel like a warning should also be added to the webhook docs and config page. |
|
That's reasonable. Would you be open to making a PR :) |
|
Sure. I'll need some guidance on how to integrate it into the web UI though. Also, I noticed that the secret is also included on Gogs webhooks. It appears like Gogs itself didn't have it in the payload since early 2017 (gogs/gogs#3692), but that should be verified first to avoid breaking existing hooks. |
|
Checklist:
|
I don't think there's a sensible place for that - the webhook page simply links to gitea.io. I would guess that means we don't need to do anything about that. |
|
Thinking about it again, yeah, I guess you're right. The secret itself isn't being deprecated, only its inclusion in the payload, and the web interface makes no attempt to describe what the payload is (except that you can look at the payloads on delivered hooks). |
|
Just FYI this will require appropriate PR for |
|
@CirnoT https://github.com/drone/go-scm/blob/427b8a85897c892148801824760bc66d3a3cdcdb/scm/driver/gitea/webhook.go#L76 should already be suitable, no? |
|
Ah sorry, yes. That's Also it uses
|
|
@CirnoT no worries, I added in support for the signature checking via header so I was worried I missed something haha.
|
|
I believe |
It's part of URI that Drone installs as webhook; like I said, most likely workaround from when there was no support for signature in Gitea |
|
@techknowlogick It appears this was missed on the release notes and blog post unless I'm blind? |
|
@JustAnotherArchivist Thanks for reminder. I've just pushed up an update to the release blog post. |
This PR removes multiple unneeded fields from the `HookTask` struct and adds the two headers `X-Hub-Signature` and `X-Hub-Signature-256`. ##⚠️ BREAKING⚠️ * The `Secret` field is no longer passed as part of the payload. * "Breaking" change (or fix?): The webhook history shows the real called url and not the url registered in the webhook (`deliver.go`@129). Close #16115 Fixes #7788 Fixes #11755 Co-authored-by: zeripath <[email protected]>
This PR removes multiple unneeded fields from the `HookTask` struct and adds the two headers `X-Hub-Signature` and `X-Hub-Signature-256`. ##⚠️ BREAKING⚠️ * The `Secret` field is no longer passed as part of the payload. * "Breaking" change (or fix?): The webhook history shows the real called url and not the url registered in the webhook (`deliver.go`@129). Close go-gitea#16115 Fixes go-gitea#7788 Fixes go-gitea#11755 Co-authored-by: zeripath <[email protected]>
Gitea currently sends the
secretin the webhook payload in plaintext. This renders signature validation entirely useless since an attacker could freely manipulate the payload without detection.Signatures were originally requested in #3901 and added in #6428. This problem was also mentioned in a comment in the former, but no separate issue for this security problem has been filed. Since then, it has been mentioned in a few comments that the
secretis deprecated and will be removed (e.g. #7487 (comment), #5173 (comment)). However, a deprecation notice in the changelog and the documentation is missing, so only few people will notice.An official deprecation warning should be added to the changelog as soon as possible, ideally with the release of 1.12.0. This should also include information on when the field will be removed entirely.
The text was updated successfully, but these errors were encountered: