Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-10616

Secure calls to integration/github/*

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.2
    • Component/s: Web API
    • Labels:
      None

      Description

      Validate Webhooks payloads against the value of the X-Hub-Signature header

      If a Webhook secret is configured in SonarCloud's Github Application, Webhook calls received from Github will include a X-Hub-Signature header which can be used to validate integrity of the payload of the Webhook in addition to ensure the request came from Github.

      See documentation and this code example to validate the payload.

      The Github App's Webhook secret is provided to SonarQube through a property and the following logic should be applied:

      • if property is not set, webhooks must have no X-Hub-Signature header
      • if property is set, webhook must have a X-Hub-Signature header and the value must be valid
      • otherwise, the webhook is ignored

      In addition, since Github is not sending any HTTP parameter, the request should be rejected if it has any.

      Whilelist IPs allowed to call api/github_app/*

      The only accepted IPs calling should be the public IPs from Github
      (TODO: get the list of public IPs from Github)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sebastien.lesaint Sebastien Lesaint
              Reporter:
              sebastien.lesaint Sebastien Lesaint
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: