Skip to content

Manual webhook setup Github token #10894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
daquinteroflex opened this issue Nov 8, 2023 · 3 comments
Closed

Manual webhook setup Github token #10894

daquinteroflex opened this issue Nov 8, 2023 · 3 comments
Labels
Support Support question

Comments

@daquinteroflex
Copy link

daquinteroflex commented Nov 8, 2023
edited
Loading

Hi,

I was curious when this manual webhook Github token was going to be implemented. Does this currently have an effect on security with manual configurations?

readthedocs.org/docs/user/guides/setup/git-repo-manual.rst

Line 58 in 6410aa0

.. note:: The webhook token, intended for the GitHub **Secret** field, is not yet implemented.

Cheers,
Dario
@humitos humitos added the Support Support question label Nov 8, 2023
@daquinteroflex
Copy link
Author

daquinteroflex commented Nov 9, 2023
edited
Loading

I've tried this. From what I can gather, is that until the token gets implemented for verification. Say, we won't be able to have an external API or even Github from a different user or organization, triggering the .readthedocs.yaml build for the particular repository that is loaded as part of the owner organization?

@daquinteroflex daquinteroflex mentioned this issue Nov 9, 2023
Open
@stsewd
Copy link
Member

stsewd commented Nov 11, 2023

Hi @daquinteroflex thanks for bringing this to our attention, we will be changing this, so integrations are always created with a secret. We will post an update about this early next week.

@stsewd
Copy link
Member

stsewd commented Nov 14, 2023

We decided to do a security release, since abusing webhooks without a secret could be a problem https://blog.readthedocs.com/security-update-on-incoming-webhooks/. Thanks again for bringing this issue to our attention!

@stsewd stsewd closed this as completed Nov 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Support Support question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@humitos @stsewd @daquinteroflex