Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-10609

Resolve Security Debt: Enable Webhook Secret Validation for Forgejo/Gitea Providers

XMLWordPrintable

      Story (Required)

      As a Pipelines-as-Code maintainer, I want to address the security vulnerability caused by missing webhook signature verification for Forgejo/Gitea providers, so that we can prevent unauthenticated or spoofed requests from triggering pipelines.

      Background (Required)

      Currently, the Forgejo/Gitea provider implementation explicitly skips webhook signature validation. Historically, this was done as a workaround because validation was non-functional; however, this creates a significant security gap where the system cannot verify if a request actually originated from the Forgejo instance.

      With the recent switch to Forgejo, it is likely that previous validation issues have been resolved. Continuing to operate without a secret is now considered a security debt that exposes our CI/CD infrastructure to payload spoofing and unauthorized execution.

      Approach (Required)

      Security Review: Audit the current Forgejo/Gitea provider to identify exactly where validation is bypassed.

      Compatibility Check: Verify Forgejo’s current support for X-Gitea-Signature or X-Hub-Signature headers to ensure parity with standard security practices.

      Proof of Concept: Test the webhook handshake with a secret enabled to confirm that validation logic now functions correctly.

      Risk Assessment: Determine if the "no secret" state should be deprecated or if a "Strict Mode" toggle is required for backward compatibility during the transition.

      Documentation Update: Update security guidelines to mandate (or strongly recommend) the use of webhook secrets.

      Acceptance Criteria (Mandatory)

      A technical recommendation is documented on how to implement signature verification.

      Verification that Forgejo’s current version supports standard signature headers.

      Identified the migration path for existing users who are currently using webhooks without secrets.

      Created follow-up tickets for the actual code implementation and documentation hardening.

      Out of scope

      Implementing validation for other providers (GitHub/GitLab).

      Full refactoring of the provider authentication layer.

      Dependencies

      Forgejo/Gitea API/Webhook documentation regarding signature headers.

      Access to a Forgejo test environment to validate the handshake.

              cboudjna@redhat.com Chmouel Boudjnah
              cboudjna@redhat.com Chmouel Boudjnah
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: