Comments (8)
moorereason
commented on May 2, 2024
It looks like it's working as intended. You're asking webhook to match a URL parameter that either doesn't exist or is invalid. The command should not be triggered in either case.
from webhook.
fbartels
commented on May 2, 2024
Yes, that was not what I meant. The hook does not execute when the wrong token is sent, but webhook also does tell you how the token should be. A not so secret secret if you will.
In other words, you can't really use payload-hash-sha1 for authentication.
from webhook.
moorereason
commented on May 2, 2024
@fbartels, webhook uses your secret to calculate a HMAC SHA1 of the payload. It's not showing you the secret. If this was unclear, maybe you can suggest an improvement to the documentation or help us to make it more clear to new users.
from webhook.
fbartels
commented on May 2, 2024
No, but its showing you the sha1. And when you call ?token=sha1-of-token, then your call will succeed.
from webhook.
moorereason
commented on May 2, 2024
Unless I'm mistaken, it's not showing the sha1 to the remote agent. It's only logging it on the server side.
from webhook.
adnanh
commented on May 2, 2024
You are correct. It leaks out the calculated SHA1 of the payload that it's expecting, this is a bug, no idea how this slipped out unnoticed!
from webhook.
fbartels
commented on May 2, 2024
Hi Adnan,
thanks for the fix. I did a manual checkout and build of 2.4.0 and can confirm that I cannot reproduce the issue anymore.
from webhook.
adnanh
commented on May 2, 2024
👍 thanks for reporting:)
from webhook.
Related Issues (20)
- If my boolean value is not quoted, will it be matched HOT 1
- Webhook doesn't get triggered when behind a traefik reverse proxy HOT 3
- Broadcasting Slack Slash Command's Response HOT 1
- Header evaluation is broken HOT 4
- Step-by-step tutorial for a 'Hello world'
- Vulnerabilities of dependency "gopkg.in/yaml.v2"
- webhook hook not running bash script HOT 6
- Bitbucket now supports webhook secrets 🥳 HOT 1
- I found that I can't use dot-notation to contain all sub-objects in my json
- I need to parse url for addr:port HOT 1
- Update `go` installation
- Ubuntu Webhooks is not reading the correct RVM ruby installed HOT 2
- Custom logging
- Webhook id is not being served in URL HOT 2
- how to set shell $PATH HOT 4
- Weird Cert issue when calling webhook from shell HOT 1
- pass-file-to-command as optional HOT 1
- Add a (unique) folder with images for dynamic responses HOT 7
- Question - How long does the webhook service run
- Add hook property to control command output logging
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webhook.