Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-10616

Secure calls to integration/github/*


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.2
    • Component/s: Web API
    • Labels:


      Validate Webhooks payloads against the value of the X-Hub-Signature header

      If a Webhook secret is configured in SonarCloud's Github Application, Webhook calls received from Github will include a X-Hub-Signature header which can be used to validate integrity of the payload of the Webhook in addition to ensure the request came from Github.

      See documentation and this code example to validate the payload.

      The Github App's Webhook secret is provided to SonarQube through a property and the following logic should be applied:

      • if property is not set, webhooks must have no X-Hub-Signature header
      • if property is set, webhook must have a X-Hub-Signature header and the value must be valid
      • otherwise, the webhook is ignored

      In addition, since Github is not sending any HTTP parameter, the request should be rejected if it has any.

      Whilelist IPs allowed to call api/github_app/*

      The only accepted IPs calling should be the public IPs from Github
      (TODO: get the list of public IPs from Github)


          Issue Links



              • Assignee:
                sebastien.lesaint Sebastien Lesaint
                sebastien.lesaint Sebastien Lesaint
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: