not all events have 'installation'
goern opened this issue · 8 comments
It looks like not all events have an installation attribute:
Traceback (most recent call last):
File "/opt/app-root/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 418, in start
resp = await task
File "/opt/app-root/lib/python3.7/site-packages/octomachinery/app/routing/webhooks_dispatcher.py", line 75, in wrapper
return await wrapped_function(request)
File "/opt/app-root/lib/python3.7/site-packages/octomachinery/app/routing/webhooks_dispatcher.py", line 96, in route_github_webhook_event
github_installation = await github_app.get_installation(event)
File "/opt/app-root/lib/python3.7/site-packages/octomachinery/github/api/app_client.py", line 145, in get_installation
install_id = event.data['installation']['id']
KeyError: 'installation'webhook causing this:
{
"action": "updated",
"security_advisory": {
"ghsa_id": "GHSA-mx7p-6679-8g3q",
"summary": "Moderate severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind",
"description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.",
"severity": "moderate",
"identifiers": [
{
"value": "GHSA-mx7p-6679-8g3q",
"type": "GHSA"
},
{
"value": "CVE-2019-16942",
"type": "CVE"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16942"
}
],
"published_at": "2019-10-28T20:51:15Z",
"updated_at": "2019-11-01T17:09:59Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"severity": "moderate",
"vulnerable_version_range": "< 2.9.10.1",
"first_patched_version": {
"identifier": "2.9.10.1"
}
}
]
}
}Thanks for the report!
Is this event related to any repo/org at all? Did you set your App webhook URL in some repos manually (w/o an app)?
It has been sent by a webhook configured to sent all events, that webhook belongs to a GitHub app installed to an org.
sent by a webhook configured to sent all events
Not sure what you mean here. Is this just a regular GitHub App webhook setup?
ja, right
here is another payload raising the exception:
{
"action": "published",
"security_advisory": {
"ghsa_id": "GHSA-89mq-4x47-5v83",
"summary": "High severity vulnerability that affects angular",
"description": "In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.",
"severity": "high",
"identifiers": [
{
"value": "GHSA-89mq-4x47-5v83",
"type": "GHSA"
},
{
"value": "CVE-2019-10768",
"type": "CVE"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10768"
}
],
"published_at": "2019-11-20T15:29:43Z",
"updated_at": "2019-11-20T15:29:43Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "npm",
"name": "angular"
},
"severity": "high",
"vulnerable_version_range": "< 1.7.9",
"first_patched_version": {
"identifier": "1.7.9"
}
}
]
}
}@goern could you plz also look up the event name? You should have something like Got a valid X-GitHub-Event={{ EVENT_NAME_HERE }} right before the traceback.
It looks like it's https://developer.github.com/v3/activity/events/types/#securityadvisoryevent.
The event name is security_advisory.