Enhance GitHub integration webhook security

XMLWordPrintable

      Problem

      Github offers to secure repositories webhooks with a secret.Jira currently discards the headers HTTP_X_HUB_SIGNATURE_256 and HTTP_X_HUB_SIGNATURE causing any unidentified payload to trigger a Jira soft sync.

      Suggested Solution

      Take into consideration jira's HTTP_X_HUB_SIGNATURE_256 if the user chooses to define it.

      Either set a secret for webhooks on account creation in the DVCS menu so the value will be populated in all the repositories or allow to define a secret value after the creation.

      Why This Is Important

      Even that the impact of triggering a soft sync from an unknown webhook payload doesn't break anything it's still a security vulnerability if an unknown party can run an administrative task in an unauthorized manner.

              Assignee:
              Unassigned
              Reporter:
              Mohamed Kouki (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: