avatar zero-24
zero-24
23 Aug 2016

Steps to reproduce the issue

Issues.joomla.org

Expected result

See the entry there

Actual result

No entry for joomla/joomla-cms#11760

System information (as much as possible)

Additional comments

avatar zero-24 zero-24 - open - 23 Aug 2016
avatar zero-24
zero-24 - comment - 23 Aug 2016

Looks like we have a general bot issue?

https://issues.joomla.org/tracker/joomla-cms/11694

Misses the last comments from
joomla/joomla-cms#11694 (comment)

avatar mbabker
mbabker - comment - 23 Aug 2016

I'm getting really tired of ModSec...

avatar zero-24
zero-24 - comment - 23 Aug 2016

? How did it work before?

avatar mbabker
mbabker - comment - 23 Aug 2016

Odds are the old server didn't have ModSec on it.

avatar zero-24
zero-24 - comment - 23 Aug 2016

Ok. Hmm but there should be a way to consume github hooks in a secure way do we have a way to contact github?

avatar mbabker
mbabker - comment - 23 Aug 2016

It's not GitHub, it's Rochen.

avatar zero-24
zero-24 - comment - 23 Aug 2016

I mean ask github to get a secure configuration of mod security they have maybe some expirience in that? Or Rochen ask github howto configure it secure?

avatar zero-24
zero-24 - comment - 23 Aug 2016
avatar mbabker
mbabker - comment - 23 Aug 2016

Supposedly Rochen whitelisted GitHub stuff based on the data I gave them. Apparently that's not happening.

The problem is our issues commonly have SQL scripts, JavaScript snippets, and HTML inlined into them. Which triggers the rules long before our application runs.

And that page is only good for application level security measures. It does nothing to address the web server stripping stuff.

avatar zero-24
zero-24 - comment - 23 Aug 2016

Hmm thanks for checking

avatar zero-24
zero-24 - comment - 23 Aug 2016

Hmm loks like that the cron synced it.. So we need to add our logic to the crons too? Like pending and labels?

avatar mbabker
mbabker - comment - 23 Aug 2016

So #692 needs to be synced, tested, and merged is what you're saying.

And the cron works fine because it initiates a request to GitHub's API and pulls the data as a response whereas the webhooks send the request to our server. ModSecurity only filters incoming HTTP traffic, unless someone REALLY screwed up a configuration it shouldn't filter data from a curl request inside a PHP app.

avatar mbabker
mbabker - comment - 23 Aug 2016

BTW anyone with admin rights on whatever repo is having issues can check the webhook configurations on GitHub as it shows the log of all of the transactions and success/fail status. You end up with something like the below meaning our server is once again misconfigured.

screen shot 2016-08-23 at 9 31 29 am

avatar zero-24
zero-24 - comment - 23 Aug 2016

i don't have admin rights on github repos. But also resending that would fail, correct?

avatar mbabker
mbabker - comment - 23 Aug 2016

Correct.

avatar mbabker
mbabker - comment - 23 Aug 2016

Per Rochen:

Apache was rebuilt on the following the whitelisting I did previously; I've reapplied the changes now

avatar mbabker mbabker - change - 23 Aug 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-08-23 14:47:44
Closed_By mbabker
avatar mbabker mbabker - close - 23 Aug 2016

Add a Comment

Login with GitHub to post a comment