[JENKINS-68142] Github Webhooks not passing HMAC secret validation for certain commit messages

[jenkins-infra-bot]

GitHub hooks for certain payloads don't pass secret validation in GitHub plug-in.

The easiest way to reproduce it at our side is to include a character tilda '~' or asterisk '*' into the commit message.

 

One possible theory why this happens: GitHub doesn't execute URL Encoding of commit message content and calculates the HMAC based on the payload without encoding, while Jenkins GitHub plug-in executes URL-Encoding of the whole payload 

https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L176

 

(NOTE: this theory may be wrong since it's questionable how it can affect the asterisk character).

---

Originally reported by leokom, imported from: Github Webhooks not passing HMAC secret validation for certain commit messages

• assignee: lanwen
• status: Open
• priority: Major
• component(s): github-plugin
• resolution: Unresolved
• votes: 0
• watchers: 1
• imported: 2025-12-08

Raw content of original issue

GitHub hooks for certain payloads don't pass secret validation in GitHub plug-in.

The easiest way to reproduce it at our side is to include a character tilda '~' or asterisk '*' into the commit message.

 

One possible theory why this happens: GitHub doesn't execute URL Encoding of commit message content and calculates the HMAC based on the payload without encoding, while Jenkins GitHub plug-in executes URL-Encoding of the whole payload 

https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L176

 

(NOTE: this theory may be wrong since it's questionable how it can affect the asterisk character).

environment

GitHub Enterprise with webhooks enabled for pushes<br/>
Jenkins with GitHub plug-in 1.34.3<br/>
Secret enabled