8000 🐛 Bug Report: Appwrite should skip signature validation if_APP_VCS_GITHUB_WEBHOOK_SECRET is empty · Issue #6112 · appwrite/appwrite · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

🐛 Bug Report: Appwrite should skip signature validation if_APP_VCS_GITHUB_WEBHOOK_SECRET is empty #6112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
stnguyen90 opened this issue Sep 1, 2023 · 0 comments · Fixed by #6162
Closed
2 tasks done

🐛 Bug Report: Appwrite should skip signature validation if_APP_VCS_GITHUB_WEBHOOK_SECRET is empty #6112

stnguyen90 opened this issue Sep 1, 2023 · 0 comments · Fixed by #6162
Assignees
@vermakhushboo
Labels
bug Something isn't working product / functions Fixes and upgrades for the Appwrite Functions.
Milestone
1.4.2

Comments

@stnguyen90
Copy link
Contributor

👟 Reproduction steps

  1. Set up Git Integration but leave the _APP_VCS_GITHUB_WEBHOOK_SECRET env var empty in Appwrite and the Webhook secret blank in github
  2. Update your linked repository to trigger a webhook event

👍 Expected behavior

The webhook works to trigger appwrite

👎 Actual Behavior

Error:

appwrite  | [Error] Timestamp: 2023-09-01T17:29:41+00:00
appwrite  | [Error] Method: POST
appwrite  | [Error] URL: /v1/vcs/github/events
appwrite  | [Error] Type: Appwrite\Extend\Exception
appwrite  | [Error] Message: Invalid webhook signature.
appwrite  | [Error] File: /usr/src/code/app/controllers/api/vcs.php
appwrite  | [Error] Line: 801

It seems when you leave it blank, the x-hub-signature-256 header from GitHub is blank, so, this line:

appwrite/app/controllers/api/vcs.php

Line 791 in aced75f

$valid = $github->validateWebhookEvent($payload, $signature, $signatureKey);

ends up being:

$valid = $github->validateWebhookEvent($payload, '', '');

which means this line:

    public function validateWebhookEvent(string $payload, string $signature, string $signatureKey): bool
    {
        return $signature === ('sha256=' . hash_hmac('sha256', $payload, $signatureKey));
    }

returns false.

🎲 Appwrite version

Version 1.4.x

💻 Operating system

Linux

🧱 Your Environment

No response

👀 Have you spent some time to check if this issue has been raised before?

  • I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?
@stnguyen90 stnguyen90 added the bug Something isn't working label Sep 1, 2023
@stnguyen90 stnguyen90 added this to the 1.4.2 milestone Sep 1, 2023
@stnguyen90 stnguyen90 added the product / functions Fixes and upgrades for the Appwrite Functions. label Sep 1, 2023
@stnguyen90 stnguyen90 changed the title 🐛 Bug Report: _APP_VCS_GITHUB_WEBHOOK_SECRET is required 🐛 Bug Report: Appwrite should skip signature validation if_APP_VCS_GITHUB_WEBHOOK_SECRET is empty Sep 1, 2023
@stnguyen90 stnguyen90 moved this to In Progress in 1.4 release Sep 1, 2023
@stnguyen90 stnguyen90 modified the milestones: 1.4.2, 1.4.3 Sep 2, 2023
@stnguyen90 stnguyen90 linked a pull request Sep 6, 2023 that will close this issue
Fix webhook secret validation and executor path validation #6162
Merged
2 tasks
@stnguyen90 stnguyen90 moved this from In Progress to Code Review in 1.4 release Sep 6, 2023
@github-project-automation github-project-automation bot moved this from Code Review to Done in 1.4 release Sep 6, 2023
This was referenced Oct 1, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vermakhushboo vermakhushboo

Labels
bug Something isn't working product / functions Fixes and upgrades for the Appwrite Functions.
Projects
No open projects
1.4 release
Status: Done
Milestone
1.4.2
Development

Successfully merging a pull request may close this issue.

Fix webhook secret validation and executor path validation appwrite/appwrite
2 participants
@stnguyen90 @vermakhushboo
0