Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-21134

Enhance GitHub integration webhook security

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem

      Github offers to secure repositories webhooks with a secret.Jira currently discards the headers HTTP_X_HUB_SIGNATURE_256 and HTTP_X_HUB_SIGNATURE causing any unidentified payload to trigger a Jira soft sync.

      Suggested Solution

      Take into consideration jira's HTTP_X_HUB_SIGNATURE_256 if the user chooses to define it.

      Either set a secret for webhooks on account creation in the DVCS menu so the value will be populated in all the repositories or allow to define a secret value after the creation.

      Why This Is Important

      Even that the impact of triggering a soft sync from an unknown webhook payload doesn't break anything it's still a security vulnerability if an unknown party can run an administrative task in an unauthorized manner.

          Form Name

            [JSWSERVER-21134] Enhance GitHub integration webhook security

              Unassigned Unassigned
              f0ea184c9b1c Mohamed Kouki
              Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: