webhook: restrict incoming requests #26
Conversation
HumorBaby
force-pushed
the
feat-secure-webhook
branch
from
77da5a4
to
e013e67
Compare
|
Initially I had though to always repond with Also, you got me thinking about confirming that The test and results were generated from this: https://gist.github.com/HumorBaby/32d4414c1956554d0f9237b41960bc8a |
|
✌️ more informative comments |
HumorBaby
force-pushed
the
feat-secure-webhook
branch
from
c3cf392
to
b7e04e5
Compare
Goodbye @dgw co-authorships 😜 |
I believe in your ability to use |
HumorBaby
force-pushed
the
feat-secure-webhook
branch
3 times, most recently
from
0102201
to
fc8815a
Compare
|
Final tests (with checking of actual response codes; test gist updated): Note: 17 requests were dropped. I'd guess bottle became overloaded during testing, given |
|
Cursory search indicates that yes, it's probably because Bottle took too long and the test script closed the connection before Bottle actually started sending a response. We're probably using the single-threaded wsgiref server, which can only process one request at a time. Such heavy loads aren't likely in a real world deployment unless a lot of busy repos are connected to a single bot. But regardless, better webserver scaling is a separate issue (possibly addressed by #22 and/or switching Bottle to another server adapter). |
|
🤭 Forgot to change one of the |
HumorBaby
force-pushed
the
feat-secure-webhook
branch
2 times, most recently
from
f3db8aa
to
780705a
Compare
|
Oof, those merge conflicts. |
Adds option to set `webhook_secret` which, when provided to GitHub, will allow for integrity check on the request payload (and serve as a form of authorization).
Co-Authored-By: dgw <dgw@technobabbl.es>
Co-Authored-By: HumorBaby <humorbaby@humorbaby.net>
Co-Authored-By: HumorBaby <humorbaby@humorbaby.net>
Co-Authored-By: dgw <dgw@technobabbl.es>
Co-Authored-By: dgw <dgw@technobabbl.es>
Co-Authored-By: dgw <dgw@technobabbl.es>
Co-Authored-By: dgw <dgw@technobabbl.es>
HumorBaby
force-pushed
the
feat-secure-webhook
branch
from
780705a
to
313f457
Compare
Was actually pretty straightforward hehe. I bet it had something to do with the 100+ commits to make master prettier since this PR was originally approved 🐱 |
There was a problem hiding this comment.
So I still need to test this, but meanwhile: 18 months later, some Sopel API stuff changed a bit in the run-up to 7.0, and is worth tweaking.
But more importantly, GitHub documents an updated signature method (SHA-256 instead of SHA-1) and header name (X-Hub-Signature-256 instead of X-Hub-Signature). The header this patch uses is included "For backward-compatibility".
What's funny is I was thinking about just shipping this in 0.4.0 anyway, but looking at it again brought up this stuff I'd rather have changed first.
| event = bottle.request.headers.get('X-GitHub-Event') or 'ping' | ||
|
|
There was a problem hiding this comment.
As far as I can tell, this is never used. The event is added to the payload as payload['event'] below (R206).
| event = bottle.request.headers.get('X-GitHub-Event') or 'ping' |
|
@HumorBaby if by chance you haven't turned into RipVanBaby due to lack of attention… I updated the test script to work on py3, and test against the SHA256 behavior. See revisions: https://gist.github.com/dgw/21674014960259586569d85bae2d4830/revisions Edit: Stable af. |
A bad actor can use this module to spam a channel with custom content. All that is needed is currently the bot's IP/hostname (can be gotten from
.help), a port for the web server (test the default in the source, then port scan), the name of the channel that is currently displaying GitHub webhooks (easy to guess/hard to hide), and a specially formatted JSON payload (format is defined in the source).GitHub has built-in measures to ensure that payloads going to an endpoint can be verified as coming from GitHub itself. A secret token that is known to the endpoint server and the GitHub webhook is used to hash/sign the payload, which can then be verified server-side.
This PR implements this functionality.
Relevant settings: