Skip to content

Secret should be removed from webhook body by default #8436

New issue
New issue
Closed
Closed
Secret should be removed from webhook body by default#8436
Labels
pr/breakingMerging this PR means builds will break. Needs a description what exactly breaks, and how to fix it!topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!type/enhancementAn improvement of existing functionality
@guillep2k

Description

@guillep2k
guillep2k
opened on Oct 9, 2019

Gitea version: 1.10.0-dev 3810fa4

Since header signatures were introduced in #6428, I think the default behavior should be to remove the secret from the body of the webhook request, as it is exposed in plain text and defeats the purpose of the signature. It's usually not a problem when the connection is https, but many struggle to configure that kind of setup, especially on internal servers that can't get a Letsencrypt certificate.

gitea/models/webhook.go

Line 739 in 3810fa4

p.SetSecret(w.Secret)

I know this is a breaking change, so I propose an app.ini setting and default it to not include the secret in the body. The admin can change it if they need the old behavior. An ini setting will not be enough if the users need by-repo configuration, though.

Metadata

Metadata

Assignees

No one assigned

    Labels

    pr/breakingMerging this PR means builds will break. Needs a description what exactly breaks, and how to fix it!topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!type/enhancementAn improvement of existing functionality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions