Add webhook secret token like GitHub

circle.yml

#1

I’m working on a bot that posts CircleCI build output to our Slack team via webhook.

Alas, it dawns on me that, given my team works in public GitHub repos, it’d be fairly trivial for somebody to craft a POST request to the service that would then post something inappropriate as the bot to Slack.

This isn’t an issue with GitHub as I’m able to use the secret token system detailed here. However, it feels like I basically have to rely on security through obscurity with the CircleCI aspect of my code.

So —

  1. Is there a way of validating that the request payload came from Circle?
  2. If not, would you consider adding webhook secret tokens?

Thanks!


Using Environment Variables inside Circle.yml
#2

Is there a reason you can’t use private environment variables? https://circleci.com/docs/environment-variables/#setting-environment-variables-for-all-commands-without-adding-them-to-git


#3

@FelicianoTech As far as I can tell, environment variables aren’t ever exposed via the “single build” endpoint (https://circleci.com/docs/api/#build). I just tested that to ensure I wasn’t missing anything and am pretty sure they aren’t included.


#4

Update: One way I’ve found around this is to use the status event from GitHub, which will give the CircleCI build number, which can then be requested via the REST API.

I’d still request payload signing as a feature for CircleCI as doing it this way involves an extra trip that is rather unnecessary. Without some way of signing the payload, anyone who discovers an endpoint accepting CircleCI webhooks can POST a fake payload to it, possibly interfering with the system.


#5

@FelicianoTech have there been any updates to this? we are in need of the same thing.


#6

Not at this time no. Make sure to like (heart) the original post as to help signal to our team which feature request we should work on next.


#7

Faved this :heart:
I’ll would also like to see this feature implemented.
My use case I would like to pass to the URL an env var passed via build triggered with the API with env vars.
Thanks.


#8