Reputation: 57184
How to verify a post-receive hook request actually came from github?
Github offers a way to let a URL know when a project has been updated using webhooks.
How do I verify that a post sent to my server's post-receive hook actually came from github?
Should I check the IP address of the sender or can I send an auth check somewhere? I want to make sure someone doesn't try to spoof a request pretending to be from github.
One option is to setup the hook through PubSubHubbub and use the hub.secret option to create a SHA1 HMAC signature of the post body. However, that would require my server setting up the request rather than waiting for users to setup the post-receive callback to my site when they want to. I would rather just ask users to paste the URL I give them into the post url.
Upvotes: 17
Views: 5911
Answers (5)
Reputation: 2595
Take a look at GitHub's docs on the subject: they suggest using HTTPS and basic authentication.
Specifically, set up your Payload URL in this format:
https://yourUser:[email protected]/path
If you have a number of users, you'd give each a different username & password. Assuming they keep that password private, you can then trust that an authenticating request really does come from GitHub and from that account.
See also: https://github.com/blog/237-basic-auth-post-receives
Upvotes: 10
Reputation: 7948
You can ping GitHub's Meta API to get an array of IP addresses (in CIDR notation) that the incoming service hooks will originate from and cross check them against the request's IP :
Upvotes: 10
Reputation: 3308
You could locate your webhook at a hard-to-guess URL. Say:
https://my-host.com/webhooks/E36006BE2C4BABDEEF307C77E34F415B/my-hook
(That's 128-bits of random data - increase to whatever size feels comfortable). Assuming you can trust github to keep this url secure, it's pretty likely that a client hitting that url can be trusted.
If the url should ever be compromised, it's a simple matter to just generate a new random URL and update your webserver.
Just make sure you're using a good source of entropy...
Upvotes: 4
Reputation: 22041
You can try to check Github's post-request IP : 207.97.227.253, 50.57.128.197, 108.171.174.178
Upvotes: 7
Reputation: 57184
In addition to @mnml's answer, the second step could be to just call up the API and verify that the information given matches the last known commit for the project. It's the same process that OpenID uses to verify the data passed is valid.
So, first I could defeat dumb reply attacks, by just checking the IP. Next I could ask github if the information I received is correct.
GET /repos/:user/:repo/commits/:sha
Upvotes: 5
Related Questions
- How to run post-receive hook on GitHub
- github service hook and basic authentication
- How can I use curl to test a Github post-receive hook server?
- Custom post-receive hook with gitlab
- For GitLab WebHook, how to make sure the request is from GitLab?
- Emulate github hook with curl with secret
- github api does not return my post-receive web hook
- Github Webhook when somebody pulls code from my repository
- How to use Github webhooks
- Adding a post receive hook in github