Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Webhook CSRF token authenticity #871

Closed
ixai opened this issue Feb 13, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@ixai
Copy link
Contributor

commented Feb 13, 2019

While trying to setup an instance of shipit, all webhooks sent by GitHub are being rejected because of a CSRF token authenticity issue (logs after the break). Looking around, I found this commit 6c84ccf that seems to enable CSRF validation for the /webhooks endpoint. I manually reverted that change and the hook was accepted. This is obviously not the correct way to do this, could you help me understand how to work around CSRF for webhooks?

I, [2019-02-13T20:27:14.366776 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Started POST "/webhooks" for 192.30.252.35 at 2019-02-13 20:27:14 +0000
I, [2019-02-13T20:27:14.370870 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Processing by Shipit::WebhooksController#create as */*
I, [2019-02-13T20:27:14.380176 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da]   Parameters: {"number"=>2, "pull_request"=>{...}}
W, [2019-02-13T20:27:14.380971 #8]  WARN -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Can't verify CSRF token authenticity.
I, [2019-02-13T20:27:14.381261 #8]  INFO -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] Completed 422 Unprocessable Entity in 1ms
F, [2019-02-13T20:27:14.382093 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da]
F, [2019-02-13T20:27:14.382134 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
F, [2019-02-13T20:27:14.382161 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da]
F, [2019-02-13T20:27:14.382201 #8] FATAL -- : [235792a3-5e6f-4c2a-98a4-52f0836694da] actionpack (5.2.2) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'
@byroot

This comment has been minimized.

Copy link
Collaborator

commented Feb 13, 2019

Thanks for the report. Someone else noticed it too recently cc @celsodantas.

I'll try to figure out why it was breaking our install and revert that commit.

@casperisfine

This comment has been minimized.

Copy link
Contributor

commented Feb 14, 2019

Reverted in f094487 and improved in 3a3a136

I'll release a new version in a bit.

@ixai

This comment has been minimized.

Copy link
Contributor Author

commented Feb 14, 2019

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.