Add better validation of incoming webhooks for GitHub.

Review Request #6313 — Created Sept. 11, 2014 and submitted — Latest diff uploaded

Information

Review Board
release-2.0.x
800e22d...

Reviewers

Incoming GitHub webhook requests for the close-submitted webhooks are
now safe from unintentional requests (for incompatible events) or
malicious payloads (from people guessing the URL and sending payloads to
close various review requests).

We now require that the webhook on GitHub be configured with the Secret
field filled out. It must be set to the value of the repository's
hooks_uuid field. The incoming payload will then be validated for a
signature generated with those payload contents and that secret.

The handler will also filter out non-push events, in case the webhook
was configured to "send everything."

This change (and the upcoming ones for Bitbucket and Google Code) do
break backwards-compatibility for existing hooks, but this is necessary
(and we have labeled this an experimental feature).

An upcoming change will assist users in filling out the webhook field
information, along with the value for the Secret field.

Unit tests pass.

We'll need to test this in production once the change goes in.