Open roadrunner2 opened 5 years ago
Plugin uses only one kind of fields from payload - urls, to find appropriate repository to do fetch. To get secret from repository we anyway should do sql query to find it by url, so what is the profit? If some one try to do DOS for you the better place to do rate limits or white lists in something like nginx. GitHub have public list of their ip addresses https://api.github.com/meta
Storing this secrets in redmine have potential security impact for other systems, and requires significant work to support it (forms, disabling other type of hooks for certain repositories, securely storing secrets and more) without visible profit.
If configured with a secret, GitHub's webhooks will sign the request and place the signature in a X-Hub-Signature request header (see https://developer.github.com/webhooks/securing/ for details). It would be great if this plugin could be configured with the same secret and verify that signature.