security issue with drop_invalid
ngapaillard opened this issue · 1 comments
ngapaillard commented
I found a security issue with the plugin. If the header "x-hub-signature" isn't in the request and drop_invalid is setted to "true" then the message isn't dropped...
-
Version: latest
-
Operating System: MACOS
-
Config File :
input {
github {
drop_invalid => true
ip => "0.0.0.0"
port => "8080"
secret_token => "test"
}
} -
Steps to Reproduce:
run
curl -XPOST -d'test' localhost:8080
The request won't be dropped by the plugin because the header "x-hub-signature" isn't present, so it pass the control...
ngapaillard commented
Invalid plugin, I will move to the good one