Skip to content

Make WEBHOOK_SECRET mandatory unless --insecure is set#1

Merged
Krinkle merged 1 commit into
mainfrom
mandate-secret
Jul 2, 2026
Merged

Make WEBHOOK_SECRET mandatory unless --insecure is set#1
Krinkle merged 1 commit into
mainfrom
mandate-secret

Conversation

@Krinkle

@Krinkle Krinkle commented Jun 10, 2026

Copy link
Copy Markdown
Member

Reduce chances of misconfiguration by explicilty refusing to start without a secret for payload verification, unless it is explicitly disabled.

Credit to Quarkslab for the discovery and recommended mitigation.

Ref https://github.com/jquery/infrastructure/issues/526
Ref https://github.com/jquery/infrastructure/issues/565

@mgol mgol left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes make sense to me (I just have a small code style remark), but I haven't worked with these notifiers directly, so if you want a more thorough review, feel free to find someone with more experience here.

Comment thread github-notifier.js Outdated
// Invalid signature, discard unauthorized event
return;
}
} else if (!this.allowInsecure) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A minor code style remark: for these security-related checks, I feel it's easier to see that we're well protected if these checks are done at the top, as soon as possible, and that we immediately return if they are not fulfilled (possibly preceded by issuing error logs, throwing, etc. - whatever makes sense).

Reduce chances of misconfiguration by explicilty refusing to
start without a secret for payload verification, unless it is
explicitly disabled.

Credit to Quarkslab for the discovery and recommended mitigation.

Ref jquery/infrastructure#526
Ref jquery/infrastructure#565
@Krinkle Krinkle merged commit 873c717 into main Jul 2, 2026
9 checks passed
@Krinkle Krinkle deleted the mandate-secret branch July 3, 2026 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants