Enhance GitHub integration webhook security

XMLWordPrintable

      Problem

      Github offers to secure repositories webhooks with a secret.Jira currently discards the headers HTTP_X_HUB_SIGNATURE_256 and HTTP_X_HUB_SIGNATURE causing any unidentified payload to trigger a Jira soft sync.

      Suggested Solution

      Take into consideration jira's HTTP_X_HUB_SIGNATURE_256 if the user chooses to define it.

      Either set a secret for webhooks on account creation in the DVCS menu so the value will be populated in all the repositories or allow to define a secret value after the creation.

      Why This Is Important

      Even that the impact of triggering a soft sync from an unknown webhook payload doesn't break anything it's still a security vulnerability if an unknown party can run an administrative task in an unauthorized manner.

            Assignee:
            Unassigned
            Reporter:
            Mohamed Kouki (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: