ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

このバージョンの GitHub Enterprise はこの日付をもって終了となりました: 2020-11-12. 重大なセキュリティの問題に対してであっても、パッチリリースは作成されません。 パフォーマンスの向上、セキュリティの改善、新機能のためには、最新バージョンのGitHub Enterpriseにアップグレードしてください。 アップグレードに関する支援については、GitHub Enterprise supportに連絡してください。

Securing your webhooks

Ensure your server is only receiving the expected GitHub requests for security reasons.

ここには以下の内容があります:

Once your server is configured to receive payloads, it'll listen for any payload sent to the endpoint you configured. For security reasons, you probably want to limit requests to those coming from GitHub. There are a few ways to go about this--for example, you could opt to allow requests from GitHub's IP address--but a far easier method is to set up a secret token and validate the information.

You can use the repository, organization, and app webhook REST APIs to create, update, delete, and ping webhooks. For more information, see:

Setting your secret token

You'll need to set up your secret token in two places: GitHub and your server.

To set your token on GitHub:

  1. Navigate to the repository where you're setting up your webhook.
  2. Fill out the Secret textbox. Use a random string with high entropy (e.g., by taking the output of ruby -rsecurerandom -e 'puts SecureRandom.hex(20)' at the terminal).
    Webhook secret token field
  3. Click Update Webhook.

Next, set up an environment variable on your server that stores this token. Typically, this is as simple as running:

$ export SECRET_TOKEN=your_token

Never hardcode the token into your app!

Validating payloads from GitHub

When your secret token is set, GitHub Enterprise Server uses it to create a hash signature with each payload. This hash signature is included with the headers of each request as X-Hub-Signature.

For example, if you have a basic server that listens for webhooks, it might be configured similar to this:

require 'sinatra'
require 'json'

post '/payload' do
  push = JSON.parse(params[:payload])
  "I got some JSON: #{push.inspect}"
end

The intention is to calculate a hash using your SECRET_TOKEN, and ensure that the result matches the hash from GitHub Enterprise Server. GitHub Enterprise Server uses an HMAC hex digest to compute the hash, so you could reconfigure your server to look a little like this:

post '/payload' do
  request.body.rewind
  payload_body = request.body.read
  verify_signature(payload_body)
  push = JSON.parse(params[:payload])
  "I got some JSON: #{push.inspect}"
end

def verify_signature(payload_body)
  signature = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), ENV['SECRET_TOKEN'], payload_body)
  return halt 500, "Signatures didn't match!" unless Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE'])
end

Your language and server implementations may differ from this example code. However, there are a number of very important things to point out:

  • No matter which implementation you use, the hash signature starts with sha256=, using the key of your secret token and your payload body.

  • Using a plain == operator is not advised. A method like secure_compare performs a "constant time" string comparison, which helps mitigate certain timing attacks against regular equality operators.