jenkins: whitelist IPs allowed to push status changes

phillipj · phillipj · commit cbc986da3469 · 2017-05-06T22:12:52.000+02:00
This is needed to ensure not everyone on the internet can push an inline
status to any PR if they know the bot URL.
diff --git a/README.md b/README.md
@@ -18,6 +18,8 @@ See [CONTRIBUTING.md](CONTRIBUTING.md).
   The webhook secret that GitHub signs the POSTed payloads with. This is created when the webhook is defined. The default is `hush-hush`.
 - **`TRAVIS_CI_TOKEN`**<br>
   For scripts that communicate with Travis CI. Your Travis token is visible on [yourprofile](https://travis-ci.org/profile) page, by clicking the "show token" link. Also See: https://blog.travis-ci.com/2013-01-28-token-token-token
+- **`JENKINS_SLAVE_IPS`**<br>
+  List of valid Jenkins slave IPs allowed to push PR status updates, split by comma: `192.168.1.100,192.168.1.101`.
 - **`JENKINS_API_CREDENTIALS`** (optional)<br>
   For scripts that communicate with Jenkins on http://ci.nodejs.org. The Jenkins API token is visible on
   your own profile page `https://ci.nodejs.org/user/<YOUR_GITHUB_USERNAME>/configure`, by clicking the
diff --git a/scripts/jenkins-status.js b/scripts/jenkins-status.js
@@ -3,6 +3,21 @@
 const pushJenkinsUpdate = require('../lib/push-jenkins-update')
 const enabledRepos = ['citgm', 'node']
 
+const jenkinsIpWhiteliste = process.env.JENKINS_SLAVE_IPS ? process.env.JENKINS_SLAVE_IPS.split(',') : []
+
+function isJenkinsIpWhitelisted (req) {
+  const ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress
+
+  if (jenkinsIpWhiteliste.length) {
+    if (!jenkinsIpWhiteliste.includes(ip)) {
+      req.log.warn({ ip }, 'Ignoring, not allowed to push Jenkins updates')
+      return false
+    }
+  }
+
+  return true
+}
+
 module.exports = function (app) {
   app.post('/:repo/jenkins/start', (req, res) => {
     const isValid = pushJenkinsUpdate.validate(req.body)
@@ -16,6 +31,10 @@ module.exports = function (app) {
       return res.status(400).end('Invalid repository')
     }
 
+    if (!isJenkinsIpWhitelisted(req)) {
+      return res.status(401).end('Invalid Jenkins IP')
+    }
+
     pushJenkinsUpdate.pushStarted({
       owner: 'nodejs',
       repo,
@@ -37,6 +56,10 @@ module.exports = function (app) {
       return res.status(400).end('Invalid repository')
     }
 
+    if (!isJenkinsIpWhitelisted(req)) {
+      return res.status(401).end('Invalid Jenkins IP')
+    }
+
     req.log.debug({ payload: req.body }, 'Jenkins / Github PR end status incoming')
 
     pushJenkinsUpdate.pushEnded({
