Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Webhook CSRF token authenticity #871

Closed
ixai opened this issue Feb 13, 2019 · 3 comments
Closed

Webhook CSRF token authenticity #871

ixai opened this issue Feb 13, 2019 · 3 comments

Comments

@ixai
Copy link
Contributor

@ixai ixai commented Feb 13, 2019

While trying to setup an instance of shipit, all webhooks sent by GitHub are being rejected because of a CSRF token authenticity issue (logs after the break). Looking around, I found this commit 6c84ccf that seems to enable CSRF validation for the /webhooks endpoint. I manually reverted that change and the hook was accepted. This is obviously not the correct way to do this, could you help me understand how to work around CSRF for webhooks?

I, [2019-02-13T20:27:14.366776 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Started POST "/webhooks" for 192.30.252.35 at 2019-02-13 20:27:14 +0000
I, [2019-02-13T20:27:14.370870 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Processing by Shipit::WebhooksController#create as */*
I, [2019-02-13T20:27:14.380176 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da]   Parameters: {"number"=>2, "pull_request"=>{...}}
W, [2019-02-13T20:27:14.380971 #8]  WARN -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Can't verify CSRF token authenticity.
I, [2019-02-13T20:27:14.381261 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Completed 422 Unprocessable Entity in 1ms
F, [2019-02-13T20:27:14.382093 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da]
F, [2019-02-13T20:27:14.382134 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
F, [2019-02-13T20:27:14.382161 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da]
F, [2019-02-13T20:27:14.382201 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] actionpack (5.2.2) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'
@byroot
Copy link
Contributor

@byroot byroot commented Feb 13, 2019

Thanks for the report. Someone else noticed it too recently cc @celsodantas.

I'll try to figure out why it was breaking our install and revert that commit.

@casperisfine
Copy link
Contributor

@casperisfine casperisfine commented Feb 14, 2019

Reverted in f094487 and improved in 3a3a136

I'll release a new version in a bit.

@ixai
Copy link
Contributor Author

@ixai ixai commented Feb 14, 2019

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants