authentication - How to verify a post-receive hook request actually came from github?

Question

Welcome To Ask or Share your Answers For Others

authentication - How to verify a post-receive hook request actually came from github?

asked Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

authentication - How to verify a post-receive hook request actually came from github?

Github offers a way to let a URL know when a project has been updated using webhooks.

How do I verify that a post sent to my server's post-receive hook actually came from github?

Should I check the IP address of the sender or can I send an auth check somewhere? I want to make sure someone doesn't try to spoof a request pretending to be from github.

One option is to setup the hook through PubSubHubbub and use the hub.secret option to create a SHA1 HMAC signature of the post body. However, that would require my server setting up the request rather than waiting for users to setup the post-receive callback to my site when they want to. I would rather just ask users to paste the URL I give them into the post url.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-10-23T17:57:54+0000

You can ping GitHub's Meta API to get an array of IP addresses (in CIDR notation) that the incoming service hooks will originate from and cross check them against the request's IP :

https://api.github.com/meta

Categories

authentication - How to verify a post-receive hook request actually came from github?

authentication - How to verify a post-receive hook request actually came from github?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags