jenkins: whitelist IPs allowed to push status changes (#142)

phillipj · web-flow · commit e2d989e5e78b · 2017-07-14T22:29:37.000+02:00
This is needed to ensure not everyone on the internet can push an inline
status to any PR if they know the bot URL.
diff --git a/README.md b/README.md
@@ -18,6 +18,8 @@ See [CONTRIBUTING.md](CONTRIBUTING.md).
   The webhook secret that GitHub signs the POSTed payloads with. This is created when the webhook is defined. The default is `hush-hush`.
 - **`TRAVIS_CI_TOKEN`**<br>
   For scripts that communicate with Travis CI. Your Travis token is visible on [yourprofile](https://travis-ci.org/profile) page, by clicking the "show token" link. Also See: https://blog.travis-ci.com/2013-01-28-token-token-token
+- **`JENKINS_WORKER_IPS`**<br>
+  List of valid Jenkins worker IPs allowed to push PR status updates, split by comma: `192.168.1.100,192.168.1.101`.
 - **`JENKINS_API_CREDENTIALS`** (optional)<br>
   For scripts that communicate with Jenkins on http://ci.nodejs.org. The Jenkins API token is visible on
   your own profile page `https://ci.nodejs.org/user/<YOUR_GITHUB_USERNAME>/configure`, by clicking the
diff --git a/scripts/jenkins-status.js b/scripts/jenkins-status.js
@@ -3,6 +3,19 @@
 const pushJenkinsUpdate = require('../lib/push-jenkins-update')
 const enabledRepos = ['citgm', 'node']
 
+const jenkinsIpWhitelist = process.env.JENKINS_WORKER_IPS ? process.env.JENKINS_WORKER_IPS.split(',') : []
+
+function isJenkinsIpWhitelisted (req) {
+  const ip = req.connection.remoteAddress
+
+  if (jenkinsIpWhitelist.length && !jenkinsIpWhitelist.includes(ip)) {
+    req.log.warn({ ip }, 'Ignoring, not allowed to push Jenkins updates')
+    return false
+  }
+
+  return true
+}
+
 module.exports = function (app) {
   app.post('/:repo/jenkins/start', (req, res) => {
     const isValid = pushJenkinsUpdate.validate(req.body)
@@ -16,6 +29,10 @@ module.exports = function (app) {
       return res.status(400).end('Invalid repository')
     }
 
+    if (!isJenkinsIpWhitelisted(req)) {
+      return res.status(401).end('Invalid Jenkins IP')
+    }
+
     pushJenkinsUpdate.pushStarted({
       owner: 'nodejs',
       repo,
@@ -37,6 +54,10 @@ module.exports = function (app) {
       return res.status(400).end('Invalid repository')
     }
 
+    if (!isJenkinsIpWhitelisted(req)) {
+      return res.status(401).end('Invalid Jenkins IP')
+    }
+
     pushJenkinsUpdate.pushEnded({
       owner: 'nodejs',
       repo,
