puppet-r10k
puppet-r10k copied to clipboard
Published
20 hours ago •
voxpupuli
voxpupuli
Webhook incorrectly reports success on `ping` event from GitHub with invalid secret
trafficstars
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 7.21.0
- Ruby: ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [x86_64-linux]
- Distribution: Red Hat Enterprise Linux release 8.7 (Ootpa)
- Module version: 10.3.0
How to reproduce (e.g Puppet code you use)
class { 'r10k::webhook::config':
enable_ssl => false,
protected => false,
github_secret => 'secret',
generate_types => false,
}
-> class { 'r10k::webhook':
use_mcollective => false,
user => 'root',
group => 'root',
}
What are you seeing
The webhook reports success to GitHub during the initial setup in response to the ping event, even when the secret value is incorrect. Subsequent push events then fail, since the secret/signature is incorrect.
What behaviour did you expect instead
The initial ping event should fail if there is a secret configured, and the secret value in GitHub is incorrect.
Output log
Any additional information you'd like to impart
Currently it looks like the code just bails with an empty 200 response if it sees the ping event. It should probably evaluate the signature first in all cases, then decide to bail on a ping.
