Listen to this Post
The vulnerability exists in the Reviewbot component’s webhook authentication mechanism. Inbound webhook HTTP requests contain a signature header for verification. The code at the provided GitHub line uses a hard-coded, shared secret string (“secret”) to validate these signatures. This secret was compiled directly into the Allstar binary, making it immutable at runtime without a custom rebuild. Consequently, every instance of Allstar using Reviewbot employed the same validation token. An attacker can easily extract this static secret from the public source code. By crafting a malicious webhook request and signing it with this known, hard-coded secret, the attacker bypasses the signature verification check. The system incorrectly authenticates the request because the signature matches the expected, but universally known, secret. This allows unauthorized interaction with the Reviewbot endpoint, leading to the execution of privileged review actions on the target repository.
Platform: Allstar
Version: < 4.5
Vulnerability : Authentication Bypass
Severity: Critical
date: 2024-XX-XX
Prediction: Patch released (v4.5)
What Undercode Say:
curl -X POST -H "X-Hub-Signature-256: sha256=$(echo -n 'malicious_payload' | openssl dgst -sha256 -hmac 'secret' -binary | xxd -p -c 999)" -d '{"action":"review"}' http://target/reviewbot
// Vulnerable Code Snippet (pkg/reviewbot/reviewbot.go ~line 59)
func verifySignature(secretToken string, payload []byte, signatureHeader string) bool {
// Hard-coded secret "secret" is used for validation
mac := hmac.New(sha256.New, []byte("secret"))
mac.Write(payload)
expectedMAC := mac.Sum(nil)
// ... comparison logic ...
}
// Patched Code (v4.5+)
// Secret is now read from a configuration environment variable.
func verifySignature(secretToken string, payload []byte, signatureHeader string) bool {
secret := os.Getenv("REVIEWBOT_WEBHOOK_SECRET")
mac := hmac.New(sha256.New, []byte(secret))
mac.Write(payload)
expectedMAC := mac.Sum(nil)
// ... comparison logic ...
}
How Exploit:
Craft malicious webhook.
Sign with hard-coded secret.
Send to endpoint.
Bypass authentication.
Trigger unauthorized actions.
Protection from this CVE
Upgrade to v4.5.
Set unique REVIEWBOT_WEBHOOK_SECRET.
Disable unused Reviewbot endpoint.
Impact:
Unauthorized review actions.
Workflow integrity loss.
Misleading automated comments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
