Opened 5 years ago

Closed 4 years ago

#2889 closed enhancement (fixed)

Check HMAC in github change hook

Reported by: bgilbert Owned by:
Priority: patches-accepted Milestone: 0.9.+
Version: 0.8.9 Keywords: github, hook
Cc:

Description

GitHub webhook events can include an HMAC signature. This provides better security than change_hook_auth on non-SSL connections: the message content is authenticated, and no secrets are transmitted in the clear.

Support validating the HMAC in the GitHub change hook. Attached is a working patch against 0.8.9 that may be useful as a starting point.

Attachments (1)

buildbot-github-hmac.patch (1.5 KB) - added by bgilbert 5 years ago.
Patch against 0.8.9

Download all attachments as: .zip

Change History (8)

Changed 5 years ago by bgilbert

Patch against 0.8.9

comment:1 Changed 5 years ago by sa2ajj

  • Keywords github added
  • Priority changed from minor to patches-accepted
  • Version changed from master to 0.8.9

Thanks for the patch.

It looks like the functionality exists in the standlone version (source:master/contrib/github_buildbot.py) but not in the hook.

comment:2 Changed 5 years ago by sa2ajj

  • Keywords hook added
  • Milestone changed from undecided to 0.9.+

comment:3 Changed 5 years ago by VZ

It would be really nice to have this in 0.8, it seems that Github doesn't support HTTP authentication for the web hooks any longer and so using the built-in hook doesn't provide any way to authenticate any more.

As comment:1 says, the code is already there in the standalone version and could just be copied into the hook if there is no mechanism to reuse it from there.

comment:4 Changed 5 years ago by sa2ajj

It's actually already implemented in eight, it's not ported to nine yet :(

comment:5 Changed 5 years ago by bgilbert

GitHub does still support HTTP authentication for webhooks. Use a payload URL like https://username:password@buildbot.example.com/change_hook/github.

comment:6 Changed 5 years ago by VZ

Thanks for both of your answers! I can confirm that just replacing github.py from my Debian buildbot 0.8.9 package with the version from comment:4 makes everything work with the configuration using

            change_hook_dialects={
                "github": {
                    "strict": True,
                    "secret": "password",
                }
            }

comment:7 Changed 4 years ago by sa2ajj

  • Resolution set to fixed
  • Status changed from new to closed

This is ported to master as well, so I close this.

(The quirk is that web hooks in master require some polish.)

Note: See TracTickets for help on using tickets.