Merge pull request #1454 from Shopify/tdickers/0.44-log-unrecognized-github-org

tdickers · web-flow · commit f7dc37a5309d · 2026-01-30T11:13:47.000-05:00
v0.44.0: log when webhook is received for unknown github organization.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Unreleased
 
+# 0.44.0
+* Return 422 and log when a webhook is from an unknown (unconfigured) GitHub organization.
+
 # 0.43.3
 * (bugfix) Ensure we always call `bundle config set without`, even if the without group is empty
 
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    shipit-engine (0.43.4)
+    shipit-engine (0.44.0)
       active_model_serializers (~> 0.9.3)
       ansi_stream (~> 0.0.6)
       autoprefixer-rails (~> 6.4.1)
diff --git a/app/controllers/shipit/webhooks_controller.rb b/app/controllers/shipit/webhooks_controller.rb
@@ -36,6 +36,16 @@ def verify_signature
         "signature=#{request.headers['X-Hub-Signature']}",
         "status=#{status}"
       ].join(' '))
+    rescue Shipit::GithubOrganizationUnknown => e
+      head(422)
+      Rails.logger.warn([
+        'WebhookController#verify_signature',
+        'Webhook from unknown organization',
+        "event=#{event}",
+        "repository_owner=#{repository_owner}",
+        "unknown_organization=#{e.message}",
+        "status=#{status}"
+      ].join(' '))
     end
 
     def check_if_ping
diff --git a/lib/shipit/version.rb b/lib/shipit/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Shipit
-  VERSION = '0.43.4'
+  VERSION = '0.44.0'
 end
diff --git a/test/controllers/webhooks_controller_test.rb b/test/controllers/webhooks_controller_test.rb
@@ -106,6 +106,26 @@ class WebhooksControllerTest < ActionController::TestCase
       assert_response :unprocessable_entity
     end
 
+    test "unknown github organization logs and returns unprocessable entity" do
+      @request.headers['X-Github-Event'] = 'push'
+
+      payload = JSON.parse(payload(:push_master))
+      payload["repository"]["owner"]["login"] = "unknown-org"
+
+      Shipit.stubs(:github).raises(Shipit::GithubOrganizationUnknown.new("unknown-org"))
+      Rails.logger.expects(:warn).with([
+        'WebhookController#verify_signature',
+        'Webhook from unknown organization',
+        "event=push",
+        "repository_owner=unknown-org",
+        "unknown_organization=unknown-org",
+        "status=422"
+      ].join(' '))
+
+      post :create, body: payload.to_json, as: :json
+      assert_response :unprocessable_entity
+    end
+
     test ":membership creates the mentioned team on the fly" do
       @request.headers['X-Github-Event'] = 'membership'
       assert_difference -> { Team.count }, 1 do
