Webhook auth bypass when webhook_secret is None #56

New Issue

Open

opened 2026-03-30 13:28:02 +00:00 by sharang · 0 comments

sharang commented 2026-03-30 13:28:02 +00:00

Owner

Copy Link

When webhook_secret is None on a repository, the webhook handlers silently skip HMAC/token verification and proceed to trigger a full scan. Any unauthenticated POST to /webhook/{type}/{repo_id} will execute the scan pipeline. Fix: Reject with 401 when webhook_secret is None. Use constant-time comparison for GitLab token. Files: webhooks/github.rs, webhooks/gitlab.rs, webhooks/gitea.rs

When webhook_secret is None on a repository, the webhook handlers silently skip HMAC/token verification and proceed to trigger a full scan. Any unauthenticated POST to /webhook/{type}/{repo_id} will execute the scan pipeline. Fix: Reject with 401 when webhook_secret is None. Use constant-time comparison for GitLab token. Files: webhooks/github.rs, webhooks/gitlab.rs, webhooks/gitea.rs

sharang added the securitybugv0.3.0critical labels 2026-03-30 13:28:02 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/multiple-issues

feat/cve-alerts

feat/e2e-tests

feat/help-chat-widget

fix/cascade-delete-repo

feat/refine-llm-prompts

fix/gitea-pr-review-error-handling

test/dummy-bad-code

fix/remove-code-review-from-findings

feat/pentest-onboarding

v0.2.0

Labels

Clear labels

bug

critical

enhancement

high

infrastructure

performance

security

v0.3.0

No Label bug critical security v0.3.0

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

sharang

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#56