tack/internal/buildkite/ at b6e554047ffb806c77a7c7cc39be5760c485aece · mitchellh.com/tack · Tangled

mitchellh.com / tack

3

Stitch any CI into Tangled

3

tack / internal / buildkite /

at b6e554047ffb806c77a7c7cc39be5760c485aece 2 files

Mitchell Hashimoto jetstream: extract reusable consumer into internal/jetstream 7w ago

buildkite: enforce freshness window on webhook signatures VerifySignature previously accepted any cryptographically valid "timestamp=<unix>,signature=<hex>" header regardless of how old the timestamp was. An attacker who captured a single signed delivery could replay it indefinitely, creating duplicate status events and unbounded growth in the events table. Reject signatures whose timestamp is more than MaxSignatureAge (5 minutes) from the local clock in either direction. The symmetric bound also defeats implausibly future-dated stamps that would otherwise mint a long replay window. The clock is read through a package-level timeNow var so tests can pin it deterministically; the existing fixed-timestamp test now stubs the clock and a new stale case covers the rejection path.

1 month ago

buildkite_test.go

buildkite: enforce freshness window on webhook signatures VerifySignature previously accepted any cryptographically valid "timestamp=<unix>,signature=<hex>" header regardless of how old the timestamp was. An attacker who captured a single signed delivery could replay it indefinitely, creating duplicate status events and unbounded growth in the events table. Reject signatures whose timestamp is more than MaxSignatureAge (5 minutes) from the local clock in either direction. The symmetric bound also defeats implausibly future-dated stamps that would otherwise mint a long replay window. The clock is read through a package-level timeNow var so tests can pin it deterministically; the existing fixed-timestamp test now stubs the clock and a new stale case covers the rejection path.

1 month ago