[bug] GitHub webhook endpoint does not verify x-hub-signature-256 #694
Description
Describe the bug
The GitHub webhook handler processes incoming webhook payloads without explicitly
verifying the x-hub-signature-256 header against a shared secret.
If the webhook endpoint is publicly accessible, a forged request could trigger
webhook-driven workflows (e.g. review agents) without originating from GitHub.
To reproduce
- Deploy Sourcebot with GitHub webhook support enabled
- Send a POST request to the webhook endpoint with a valid-looking GitHub event payload
- Omit or modify the x-hub-signature-256 header
- Observe that the payload is still parsed and processed
Sourcebot deployment information
Sourcebot version (e.g. v3.0.1):
Not deployment-specific.
This behavior is observable by inspecting the webhook handler logic, where the
request body is parsed and processed without prior verification of the webhook
signature.
Additional information
GitHub recommends validating webhook payloads using the x-hub-signature-256 header
and a shared secret before parsing or processing the request body.
Verifying the raw request body against the webhook secret before JSON parsing
would prevent forged or replayed webhook events.
Happy to open a PR if that’s useful.