Add better validation of incoming webhooks for GitHub.

Review Request #6313 — Created Sept. 11, 2014 and submitted

Information

Review Board
release-2.0.x
800e22d...

Reviewers

Incoming GitHub webhook requests for the close-submitted webhooks are
now safe from unintentional requests (for incompatible events) or
malicious payloads (from people guessing the URL and sending payloads to
close various review requests).

We now require that the webhook on GitHub be configured with the Secret
field filled out. It must be set to the value of the repository's
hooks_uuid field. The incoming payload will then be validated for a
signature generated with those payload contents and that secret.

The handler will also filter out non-push events, in case the webhook
was configured to "send everything."

This change (and the upcoming ones for Bitbucket and Google Code) do
break backwards-compatibility for existing hooks, but this is necessary
(and we have labeled this an experimental feature).

An upcoming change will assist users in filling out the webhook field
information, along with the value for the Secret field.

Unit tests pass.

We'll need to test this in production once the change goes in.

Description From Last Updated

'render_to_response' imported but unused

reviewbotreviewbot

'RequestContext' imported but unused

reviewbotreviewbot

'build_server_url' imported but unused

reviewbotreviewbot
reviewbot
  1. Tool: Pyflakes
    Processed Files:
        reviewboard/hostingsvcs/github.py
        reviewboard/hostingsvcs/hook_utils.py
        reviewboard/hostingsvcs/tests.py
    
    
    
    Tool: PEP8 Style Checker
    Processed Files:
        reviewboard/hostingsvcs/github.py
        reviewboard/hostingsvcs/hook_utils.py
        reviewboard/hostingsvcs/tests.py
    
    
  2. reviewboard/hostingsvcs/github.py (Diff revision 1)
     
     
    Show all issues
     'render_to_response' imported but unused
    
  3. reviewboard/hostingsvcs/github.py (Diff revision 1)
     
     
    Show all issues
     'RequestContext' imported but unused
    
  4. reviewboard/hostingsvcs/github.py (Diff revision 1)
     
     
    Show all issues
     'build_server_url' imported but unused
    
  5. 
      
chipx86
reviewbot
  1. Tool: Pyflakes
    Processed Files:
        reviewboard/hostingsvcs/github.py
        reviewboard/hostingsvcs/hook_utils.py
        reviewboard/hostingsvcs/tests.py
    
    
    
    Tool: PEP8 Style Checker
    Processed Files:
        reviewboard/hostingsvcs/github.py
        reviewboard/hostingsvcs/hook_utils.py
        reviewboard/hostingsvcs/tests.py
    
    
  2. 
      
david
  1. Ship It!

  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-2.0.x (e447647)