|
| 1 | +.. post:: November 14, 2023 |
| 2 | + :tags: webhooks, integrations, security |
| 3 | + :category: Changelog |
| 4 | + :author: Santos |
| 5 | + :location: CUE |
| 6 | + |
| 7 | +Security update on incoming webhooks from integrations |
| 8 | +====================================================== |
| 9 | + |
| 10 | +Webhooks from integrations (like GitHub) are used to: |
| 11 | + |
| 12 | +- Trigger builds when a new commit is pushed to a repository. |
| 13 | +- Create and delete previews from pull requests (if you have this feature enabled). |
| 14 | +- Update the identifier of the latest version (if you have your default branch set to empty in your project's settings). |
| 15 | + |
| 16 | +Last week, our team was make aware that manually created webhooks from integrations lacked support for a shared secret, |
| 17 | +which is used to verify the authenticity of the webhook, |
| 18 | +ensuring they originate from the expected source and not from a malicious user. |
| 19 | + |
| 20 | +In order to improve security, we have deployed an update so that all integrations are now created with a shared secret, |
| 21 | +so we can verify the authenticity of the webhook. |
| 22 | + |
| 23 | +Security implications |
| 24 | +--------------------- |
| 25 | + |
| 26 | +The lacking of a shared secret for manually created integrations together with a legacy feature that automatically created integrations in certain circumstances, |
| 27 | +could have allowed unauthorized users to create integrations without a shared secret. |
| 28 | +Allowing the attacker to trigger builds, |
| 29 | +create and delete previews from pull requests (if you had this feature enabled), |
| 30 | +and update the identifier of the latest version (if you had your default branch set to empty in your project's settings). |
| 31 | + |
| 32 | +We published a `security advisory <https://github.com/readthedocs/readthedocs.org/security/advisories/GHSA-45hq-g76r-46wv>`__ |
| 33 | +with more details about this issue. |
| 34 | + |
| 35 | +Action required |
| 36 | +--------------- |
| 37 | + |
| 38 | +If you manually created a webhook integration for GitHub, GitLab or Bitbucket, |
| 39 | +you may be affected by this issue. |
| 40 | + |
| 41 | +We have updated some of the webhooks automatically for users that have an account connected to a Git provider, |
| 42 | +for integrations that we weren't able to update automatically, we have contacted the owners of each project. |
| 43 | +To check if you have integrations without a secret, |
| 44 | +and to update them to include one, follow these steps: |
| 45 | + |
| 46 | +- Go to your project's settings page. |
| 47 | +- Click on the "Integrations" tab. |
| 48 | +- Click on each integration, if the integration doesn't have a secret, |
| 49 | + you'll see a warning message. |
| 50 | +- If you see the warning message, |
| 51 | + click on the "Resync webhook" button to generate a new secret. |
| 52 | +- Follow the steps `from our documentation <https://docs.readthedocs.io/en/stable/guides/setup/git-repo-manual.html>`__ to update your provider's webhook with the new secret. |
| 53 | + |
| 54 | +Deprecation of integrations without a secret |
| 55 | +-------------------------------------------- |
| 56 | + |
| 57 | +In order to keep the builds of your projects working, |
| 58 | +webhooks from integrations without a secret will continue working, |
| 59 | +but with a limited functionality, they will only be able to trigger builds. |
| 60 | + |
| 61 | +We strongly advise all users to update their integrations to include a secret as soon as possible. |
| 62 | +Integrations without a secret are deprecated, and support for them will be removed on **January 31st, 2024**. |
0 commit comments