NixOS Hydra Webhook Authentication Bypass Vulnerability

A vulnerability exists in NixOS Hydra's GitHub and Gitea webhook integration, allowing unauthorized requests to trigger evaluations without authentication. This issue, present in versions prior to f7bda02, can lead to excessive resource usage and potential denial-of-service conditions on the server. The vulnerability arises because the webhook endpoints do not require authentication, despite being called by the respective Git forges. Although these forges support HMAC signing with a secret key, the lack of verification allows anyone to initiate costly evaluations. This vulnerability has been addressed in version f7bda02, which implements signature verification for the GitHub and Gitea webhooks.

Impact

Exploitation of this vulnerability can cause increased load on the server, particularly during large evaluation processes, potentially leading to denial-of-service conditions.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/push-github' or '/api/push-gitea' endpoint without including the required HMAC signature. This can be done using a tool like curl or Postman. The request will be accepted, and the corresponding evaluation will be triggered in Hydra, bypassing the authentication mechanism.

Remediation

Update to Hydra version f7bda02 or later, and configure the webhook secrets in the 'hydra.conf' file. If an immediate update is not possible, block the '/api/push-github' and '/api/push-gitea' endpoints using a reverse proxy.