[Buildbot-commits] [Buildbot] #2186: github change_hook needs security by default

Buildbot trac trac at buildbot.net
Mon Mar 18 16:38:41 UTC 2013


#2186: github change_hook needs security by default
------------------------------+---------------------
Reporter:  stefanha           |       Owner:
    Type:  enhancement        |      Status:  closed
Priority:  critical           |   Milestone:  0.8.+
 Version:  0.8.5              |  Resolution:  fixed
Keywords:  github web sprint  |
------------------------------+---------------------
Changes (by dustin):

 * status:  new => closed
 * resolution:   => fixed


Old description:

> The github change_hook allows Github POST requests to trigger builds.  It
> is part of WebStatus and can be accessed via
> http://server/change_hook/github.
>
> The buildbot documentation does not explain the security implications of
> enabling this change_hook.  From what I can tell there are no checks in
> place to ensure the HTTP request is really from Github.
>
> Anyone who pokes this URL will be able to trigger builds.  It's also not
> clear to me whether builds are restricted to just the git repositories
> configured on the buildmaster or whether the repo URL from the HTTP
> request will be used.
>
> Please document the security implications of the github change_hook.
>
> I suggest supporting a secret token that can be configured both on the
> buildmaster and github side.  If the HTTP request does not include the
> secret token then it will be denied.  One way of doing this would be to
> customize the github change_hook URI, e.g.
> http://server/change_hook/1e505aa83c25910, so that it is not guessable.

New description:

 The github change_hook allows Github POST requests to trigger builds.  It
 is part of WebStatus and can be accessed via
 http://server/change_hook/github.

 The buildbot documentation does not explain the security implications of
 enabling this change_hook.  From what I can tell there are no checks in
 place to ensure the HTTP request is really from Github.

 Anyone who pokes this URL will be able to trigger builds.  It's also not
 clear to me whether builds are restricted to just the git repositories
 configured on the buildmaster or whether the repo URL from the HTTP
 request will be used.

 Please document the security implications of the github change_hook.

 I suggest supporting a secret token that can be configured both on the
 buildmaster and github side.  If the HTTP request does not include the
 secret token then it will be denied.  One way of doing this would be to
 customize the github change_hook URI, e.g.
 http://server/change_hook/1e505aa83c25910, so that it is not guessable.

--

Comment:

 Merged!

-- 
Ticket URL: <http://trac.buildbot.net/ticket/2186#comment:13>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation


More information about the Commits mailing list