screwdriver icon indicating copy to clipboard operation
screwdriver copied to clipboard

Published 20 hours ago verified publisher icon screwdriver-cd

Webhooks are reusing same secret for each pipeline

Open jithine opened this issue 4 years ago • 0 comments

What happened:

Screwdriver uses same secret for all webhooks created in an SCM. This can allow someone to create valid X-Hub-Signature of Webhook payload of arbitrary repositories using that Secret, which allows someone to Start PR/Commit builds for arbitrary Public pipelines.

What you expected to happen:

Screwdriver should use a different secret per Pipeline or Git Repository.

How to reproduce it: N/A

jithine avatar Aug 26 '21 17:08 jithine