Secret should be removed from webhook body by default #8436
Labels
pr/breaking
Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it!
topic/security
Something leaks user information or is otherwise vulnerable. Should be fixed!
type/enhancement
An improvement of existing functionality
Comments
lafriks
added
type/enhancement
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Gitea version: 1.10.0-dev 3810fa4
Since header signatures were introduced in #6428, I think the default behavior should be to remove the secret from the body of the webhook request, as it is exposed in plain text and defeats the purpose of the signature. It's usually not a problem when the connection is https, but many struggle to configure that kind of setup, especially on internal servers that can't get a Letsencrypt certificate.
gitea/models/webhook.go
Line 739 in 3810fa4
I know this is a breaking change, so I propose an
app.inisetting and default it to not include the secret in the body. The admin can change it if they need the old behavior. An ini setting will not be enough if the users need by-repo configuration, though.The text was updated successfully, but these errors were encountered: