Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(bitbucket): check bitbucket webhook signature if webhook_secret is defined #82541

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

oioki
Copy link
Member

@oioki oioki commented Dec 23, 2024

Preparing Bitbucket webhook secret validation. This is actual signature header validation, but no integrations/repos have the associated secret yet.

TODO in the follow-up PRs:

  • backend endpoint to modify webhook_secret in repo.config
  • frontend interface

@oioki oioki requested a review from a team December 23, 2024 19:31
@oioki oioki requested review from a team as code owners December 23, 2024 19:31
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Dec 23, 2024
try:
event_handler(request, organization, event)
except WebhookSignatureException as e:
return HttpResponse(str(e), status=400)

Check warning

Code scanning / CodeQL

Information exposure through an exception Medium

Stack trace information
flows to this location and may be exposed to an external user.

Copilot Autofix AI 2 days ago

To fix the problem, we should avoid returning the exception message directly to the user. Instead, we should log the exception message on the server and return a generic error message to the user. This way, developers can still access the detailed error information from the logs, but external users will not see any sensitive information.

We need to modify the code in the post method of the BitbucketWebhookEndpoint class to log the exception message and return a generic error message. We will use the existing logger to log the exception and return a generic error response.

Suggested changeset 1
src/sentry/integrations/bitbucket/webhook.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/sentry/integrations/bitbucket/webhook.py b/src/sentry/integrations/bitbucket/webhook.py
--- a/src/sentry/integrations/bitbucket/webhook.py
+++ b/src/sentry/integrations/bitbucket/webhook.py
@@ -250,3 +250,8 @@
             except WebhookSignatureException as e:
-                return HttpResponse(str(e), status=400)
+                logger.exception(
+                    "%s.webhook.signature-exception",
+                    PROVIDER_NAME,
+                    extra={"organization_id": organization.id, "error": str(e)},
+                )
+                return HttpResponse("An error occurred while processing the webhook.", status=400)
 
EOF
@@ -250,3 +250,8 @@
except WebhookSignatureException as e:
return HttpResponse(str(e), status=400)
logger.exception(
"%s.webhook.signature-exception",
PROVIDER_NAME,
extra={"organization_id": organization.id, "error": str(e)},
)
return HttpResponse("An error occurred while processing the webhook.", status=400)

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant