screwdriver-api 8.0.151 → 8.0.152

package/config/default.yaml

@@ -278,6 +278,20 @@ scms: {}
 #         # SCM clone type (https or ssh)
 #         cloneType: https
 webhooks:
+  # Replay protection for incoming webhook deliveries. Dedupes identical
+  # x-github-delivery values within a short TTL so a captured webhook cannot be
+  # replayed by an attacker. The Redis backend reuses the connection configured
+  # under redisLock.options.redisConnection (a single Redis instance generally
+  # serves both features). When no Redis host is configured, falls back to a
+  # per-process in-memory store. Fail-open: infrastructure errors never block
+  # legitimate webhook deliveries.
+  replayProtection:
+    # Master switch. Set to false to disable replay protection entirely.
+    enabled: true
+    # Window in which a duplicate x-github-delivery is rejected. Defaults to 5
+    # minutes — long enough to defeat realistic fast-replay attempts, short
+    # enough that legitimate manual redelivery from the SCM UI is unaffected.
+    ttlSeconds: 300
   scms:
     github:
       # Obtains the SCM token for a given user. If a user does not have a valid SCM token registered with Screwdriver, it will use this user's token instead.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "screwdriver-api",
-  "version": "8.0.151",
+  "version": "8.0.152",
   "description": "API server for the Screwdriver.cd service",
   "main": "index.js",
   "scripts": {
@@ -129,7 +129,7 @@
     "screwdriver-request": "^3.0.0",
     "screwdriver-scm-base": "^10.0.1",
     "screwdriver-scm-bitbucket": "^7.4.1",
-    "screwdriver-scm-github": "^14.5.1",
+    "screwdriver-scm-github": "^14.6.2",
     "screwdriver-scm-gitlab": "^5.5.1",
     "screwdriver-scm-router": "^9.0.0",
     "screwdriver-template-validator": "^10.0.0",

package/plugins/helper.js

@@ -133,6 +133,22 @@ function isStageTeardown(jobName) {
     return STAGE_TEARDOWN_PATTERN.test(jobName);
 }
 
+/**
+ * Coerce a YAML-derived boolean-or-string into a Boolean. Accepts the
+ * common YAML 1.1 truthy strings ('on', 'true', 'yes', 'y') for
+ * consistency with the convention historically used by plugins/lock.js.
+ * @method parseBool
+ * @param  {Boolean|String} value
+ * @returns {Boolean}
+ */
+function parseBool(value) {
+    if (typeof value === 'boolean') {
+        return value;
+    }
+
+    return ['on', 'true', 'yes', 'y'].includes(String(value).toLowerCase());
+}
+
 module.exports = {
     getReadOnlyInfo,
     getScmUri,
@@ -140,5 +156,6 @@ module.exports = {
     setDefaultTimeRange,
     validTimeRange,
     getFullStageJobName,
-    isStageTeardown
+    isStageTeardown,
+    parseBool
 };

package/plugins/lock.js

@@ -4,21 +4,7 @@ const Redis = require('ioredis');
 const Redlock = require('redlock');
 const config = require('config');
 const logger = require('screwdriver-logger');
-
-/**
- * parse value to Boolean
- * @method parseBool
- * @param {(Boolean|String)} value
- * @return {Boolean}
- */
-function parseBool(value) {
-    if (typeof value === 'boolean') {
-        return value;
-    }
-
-    // True values refers to https://yaml.org/type/bool.html
-    return ['on', 'true', 'yes', 'y'].includes(String(value).toLowerCase());
-}
+const { parseBool } = require('./helper');
 
 class Lock {
     /**

package/plugins/webhooks/dedupStore.js

@@ -0,0 +1,112 @@
+'use strict';
+
+const config = require('config');
+const logger = require('screwdriver-logger');
+const lock = require('../lock');
+const { parseBool } = require('../helper');
+
+/**
+ * Webhook replay-protection store. Tracks `x-github-delivery` IDs (or the
+ * equivalent for other SCMs) for a short TTL and reports whether an incoming
+ * delivery is fresh or a duplicate.
+ *
+ * Reuses the Redis client that plugins/lock.js creates from
+ * redisLock.options. When that client is unavailable (redisLock.enabled is
+ * false, or Redis init failed), falls back to a per-process in-memory Map.
+ * The in-memory path is per-process and does NOT protect across multiple API
+ * instances — it's a fail-degraded fallback for deployments where Redis is
+ * unavailable.
+ *
+ * All errors are caught and the caller is told the delivery is fresh
+ * (fail-open) — webhook processing is never blocked because of replay-
+ * protection infrastructure failure.
+ *
+ * Exported as a singleton, mirroring plugins/lock.js.
+ */
+class WebhookDedupStore {
+    /**
+     * Read config and initialize the store. webhooks.replayProtection holds
+     *   { enabled: Boolean, ttlSeconds: Number }
+     * Redis is sourced from plugins/lock.js, which is in turn driven by
+     * redisLock.options — operators configure one Redis target, both features
+     * use it.
+     */
+    constructor() {
+        // Tolerate `replayProtection: null` in YAML — config.has() reports
+        // true but config.get() returns null in that case. Coalesce to {}
+        // so the rest of the constructor reads default values.
+        const options =
+            (config.has('webhooks.replayProtection') ? config.get('webhooks.replayProtection') : null) || {};
+
+        this.enabled = parseBool(options.enabled);
+        this.ttlSeconds = parseInt(options.ttlSeconds, 10) || 300;
+
+        if (!this.enabled) {
+            this.redis = null;
+            this.memorySeen = null;
+
+            return;
+        }
+
+        this.redis = lock.redis || null;
+        this.memorySeen = this.redis ? null : new Map();
+
+        if (this.redis) {
+            // ioredis emits 'error' events on connection / protocol failures.
+            // Without a listener, an unhandled error event crashes the Node
+            // process. lock.js owns this client but doesn't register a
+            // handler, so we register one here. Listener is attached once
+            // because dedupStore is a module-level singleton.
+            this.redis.on('error', err => {
+                logger.warn(`Webhook dedup store: Redis error (failing open): ${err.message}`);
+            });
+        } else {
+            logger.info(
+                'Webhook dedup store: Redis not available (redisLock disabled or uninitialized), using in-memory fallback (single-instance protection only)'
+            );
+        }
+    }
+
+    /**
+     * Attempt to claim a dedup key. Returns true if this is the first time the
+     * key has been seen within the TTL window (fresh delivery — proceed), or
+     * false if the key was already claimed (duplicate — reject upstream).
+     *
+     * Any infrastructure error returns true (fail-open).
+     *
+     * @method claim
+     * @param  {String} key
+     * @returns {Promise<Boolean>} true if fresh, false if duplicate
+     */
+    async claim(key) {
+        if (!this.enabled) {
+            return true;
+        }
+
+        if (this.redis) {
+            try {
+                // SET key 1 EX <ttl> NX — atomic test-and-set with TTL.
+                // Resolves to 'OK' on success, null if the key already exists.
+                const result = await this.redis.set(key, '1', 'EX', this.ttlSeconds, 'NX');
+
+                return result === 'OK';
+            } catch (err) {
+                logger.warn(`Webhook dedup store: claim failed (failing open): ${err.message}`);
+
+                return true;
+            }
+        }
+
+        // In-memory fallback path. Constructor guarantees memorySeen is set
+        // here (when enabled and lock.redis is unavailable).
+        if (this.memorySeen.has(key)) {
+            return false;
+        }
+        this.memorySeen.set(key, true);
+        setTimeout(() => this.memorySeen.delete(key), this.ttlSeconds * 1000).unref();
+
+        return true;
+    }
+}
+
+module.exports = new WebhookDedupStore();

package/plugins/webhooks/index.js

@@ -5,6 +5,7 @@ const logger = require('screwdriver-logger');
 const boom = require('@hapi/boom');
 const { ValidationError } = require('joi');
 const { startHookEvent } = require('./helper');
+const dedupStore = require('./dedupStore');
 
 const DEFAULT_MAX_BYTES = 1048576; // 1MB
 const providerSchema = joi
@@ -99,6 +100,20 @@ const webhooksPlugin = {
 
                         request.log(['webhook', hookId], `Received event type ${type}`);
 
+                        // Replay protection: dedupe identical x-github-delivery within a short window.
+                        // On duplicate, return 204 No Content with no body so the SCM stops
+                        // retrying and an attacker probing IDs cannot distinguish a seen ID from
+                        // an unseen one based on the response. The replay decision is recorded
+                        // server-side via request.log. Fail-open is handled inside dedupStore.claim().
+                        const dedupKey = `webhook:${parsed.scmContext}:${hookId}`;
+                        const fresh = await dedupStore.claim(dedupKey);
+
+                        if (!fresh) {
+                            request.log(['webhook', hookId], 'Duplicate delivery — skipping (replay protection)');
+
+                            return h.response().code(204);
+                        }
+
                         if (queueWebhookEnabled) {
                             parsed.token = request.server.plugins.auth.generateToken({
                                 scope: ['sdapi']