Skip to content

Commit 0835d60

Browse files
authored
Blog post about changes on incoming webhooks (#247)
1 parent 8e08acf commit 0835d60

File tree

1 file changed

+62
-0
lines changed

1 file changed

+62
-0
lines changed
Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
.. post:: November 14, 2023
2+
:tags: webhooks, integrations, security
3+
:category: Changelog
4+
:author: Santos
5+
:location: CUE
6+
7+
Security update on incoming webhooks from integrations
8+
======================================================
9+
10+
Webhooks from integrations (like GitHub) are used to:
11+
12+
- Trigger builds when a new commit is pushed to a repository.
13+
- Create and delete previews from pull requests (if you have this feature enabled).
14+
- Update the identifier of the latest version (if you have your default branch set to empty in your project's settings).
15+
16+
Last week, our team was make aware that manually created webhooks from integrations lacked support for a shared secret,
17+
which is used to verify the authenticity of the webhook,
18+
ensuring they originate from the expected source and not from a malicious user.
19+
20+
In order to improve security, we have deployed an update so that all integrations are now created with a shared secret,
21+
so we can verify the authenticity of the webhook.
22+
23+
Security implications
24+
---------------------
25+
26+
The lacking of a shared secret for manually created integrations together with a legacy feature that automatically created integrations in certain circumstances,
27+
could have allowed unauthorized users to create integrations without a shared secret.
28+
Allowing the attacker to trigger builds,
29+
create and delete previews from pull requests (if you had this feature enabled),
30+
and update the identifier of the latest version (if you had your default branch set to empty in your project's settings).
31+
32+
We published a `security advisory <https://github.com/readthedocs/readthedocs.org/security/advisories/GHSA-45hq-g76r-46wv>`__
33+
with more details about this issue.
34+
35+
Action required
36+
---------------
37+
38+
If you manually created a webhook integration for GitHub, GitLab or Bitbucket,
39+
you may be affected by this issue.
40+
41+
We have updated some of the webhooks automatically for users that have an account connected to a Git provider,
42+
for integrations that we weren't able to update automatically, we have contacted the owners of each project.
43+
To check if you have integrations without a secret,
44+
and to update them to include one, follow these steps:
45+
46+
- Go to your project's settings page.
47+
- Click on the "Integrations" tab.
48+
- Click on each integration, if the integration doesn't have a secret,
49+
you'll see a warning message.
50+
- If you see the warning message,
51+
click on the "Resync webhook" button to generate a new secret.
52+
- Follow the steps `from our documentation <https://docs.readthedocs.io/en/stable/guides/setup/git-repo-manual.html>`__ to update your provider's webhook with the new secret.
53+
54+
Deprecation of integrations without a secret
55+
--------------------------------------------
56+
57+
In order to keep the builds of your projects working,
58+
webhooks from integrations without a secret will continue working,
59+
but with a limited functionality, they will only be able to trigger builds.
60+
61+
We strongly advise all users to update their integrations to include a secret as soon as possible.
62+
Integrations without a secret are deprecated, and support for them will be removed on **January 31st, 2024**.

0 commit comments

Comments
 (0)