Bug 2015969 - Unauthenticated CircleCI webhook allows remote attackers to spoof Harbormaster build target results (PASS/FAIL)

dklawren · dklawren · commit 782447900aa9 · 2026-02-19T11:59:58.000-05:00
diff --git a/src/applications/harbormaster/application/PhabricatorHarbormasterApplication.php b/src/applications/harbormaster/application/PhabricatorHarbormasterApplication.php
@@ -52,6 +52,11 @@ public function getHelpDocumentationArticles(PhabricatorUser $viewer) {
   }
 
   public function getRoutes() {
+    /* Bug 2015969 */
+    /* 'hook/' => array( */
+    /*   'circleci/' => 'HarbormasterCircleCIHookController', */
+    /*   'buildkite/' => 'HarbormasterBuildkiteHookController', */
+    /* ), */
     return array(
       '/B(?P<id>[1-9]\d*)' => 'HarbormasterBuildableViewController',
       '/harbormaster/' => array(
@@ -95,7 +100,6 @@ public function getRoutes() {
           '(?P<id>\d+)/' => 'HarbormasterLintMessagesController',
         ),
         'hook/' => array(
-          'circleci/' => 'HarbormasterCircleCIHookController',
           'buildkite/' => 'HarbormasterBuildkiteHookController',
         ),
         'log/' => array(
