pelson
commented
6 years ago Agreed. I decided not to check this because the behaviour is a tightly limited set, but there is no harm in preventing arbitrary execution of that set.
Thanks @QuLogic
Closed QuLogic closed 6 years ago
pelson
commented
6 years ago Agreed. I decided not to check this because the behaviour is a tightly limited set, but there is no harm in preventing arbitrary execution of that set.
Thanks @QuLogic
pelson
commented
6 years ago Closed in #12. Thanks @QuLogic.
As evidenced in #10, I can send arbitrary triggers to the webhook without authentication or verification. GitHub apparently sends an
X-Hub-Signatureheader using a secret which could possibly be used to verify the webhook sender and payload.