Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10263

Github Trigger URL returns 403

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Note: I filed this under 'core' because the component in Jira for 'github' doesn't seem to exist, despite the wiki page querying it.

      What happens:

      I set up "Trigger a build when a change is pushed to GitHub". It creates the URL, etc. correctly on github.

      However, if I click "test" I get this error message in my tomcat log:

      ==> catalina.out <==
      Jul 8, 2011 12:17:04 PM hudson.security.csrf.CrumbFilter doFilter
      WARNING: No valid crumb was included in request for /jenkins/github-webhook/. Returning 403.

      Even though I have pushed changes, no builds have been triggered.

      Ciao!

        Attachments

          Issue Links

            Activity

            docwhat Christian Höltje created issue -
            Hide
            sogabe sogabe added a comment -

            Workaround: disable "Prevent Cross Site Request Forgery exploits".

            Show
            sogabe sogabe added a comment - Workaround: disable "Prevent Cross Site Request Forgery exploits".
            Hide
            docwhat Christian Höltje added a comment -

            I can confirm sogabe's workaround.

            Show
            docwhat Christian Höltje added a comment - I can confirm sogabe's workaround.
            sogabe sogabe made changes -
            Field Original Value New Value
            Link This issue is duplicated by JENKINS-10262 [ JENKINS-10262 ]
            Hide
            aheritier Arnaud Héritier added a comment -

            In the documentation there is also this :

            Step 2. Open "Manage Jenkins > Configure Global Security" page and make sure that "Grant READ permissions for /github-webhook" is enabled in the "GitHub Authorization Settings" section

            But I don't find such option

            Nothing in Global Security page or in Configuration page of jenkins.

            Show
            aheritier Arnaud Héritier added a comment - In the documentation there is also this : Step 2. Open "Manage Jenkins > Configure Global Security" page and make sure that "Grant READ permissions for /github-webhook" is enabled in the "GitHub Authorization Settings" section But I don't find such option Nothing in Global Security page or in Configuration page of jenkins.
            Hide
            jglick Jesse Glick added a comment -

            Permissions have nothing to do with it; this is a crumb check. Probably this plugin needs to implement a CrumbExclusion, if it expects an anonymous service with no knowledge of Jenkins to POST to its endpoint.

            Show
            jglick Jesse Glick added a comment - Permissions have nothing to do with it; this is a crumb check. Probably this plugin needs to implement a CrumbExclusion , if it expects an anonymous service with no knowledge of Jenkins to POST to its endpoint.
            Hide
            aheritier Arnaud Héritier added a comment -

            I updated the component to add github (I didn't checked who is maintaining it). I confirm that disabling the crumb filter solves the issue but it is dangerous ....

            Show
            aheritier Arnaud Héritier added a comment - I updated the component to add github (I didn't checked who is maintaining it). I confirm that disabling the crumb filter solves the issue but it is dangerous ....
            aheritier Arnaud Héritier made changes -
            Component/s github [ 15896 ]
            Hide
            danielbeck Daniel Beck added a comment -

            Not a core issue.

            Show
            danielbeck Daniel Beck added a comment - Not a core issue.
            danielbeck Daniel Beck made changes -
            Component/s core [ 15593 ]
            Hide
            jglick Jesse Glick added a comment -

            I wonder if it makes sense for there to be an implicit CrumbExclusion for any UnprotectedRootAction. Or if the crumb filter could safely be relaxed to ignore requests carrying either no authentication (in which case presumably the request cannot be doing anything harmful), or BASIC authentication using the API token (which presumably would not be loaded into browser credentials and available for malicious scripts). Probably someone more expert in web security needs to weigh in on this.

            Show
            jglick Jesse Glick added a comment - I wonder if it makes sense for there to be an implicit CrumbExclusion for any UnprotectedRootAction . Or if the crumb filter could safely be relaxed to ignore requests carrying either no authentication (in which case presumably the request cannot be doing anything harmful), or BASIC authentication using the API token (which presumably would not be loaded into browser credentials and available for malicious scripts). Probably someone more expert in web security needs to weigh in on this.
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            This is an old issue from 08/Jul/11.

            More recents versions of the GitHub plugin has GitHubWebHookCrumbExclusion.java to avoid this issue. In Oct 24, 2013 the feature was added.

            • Shouldn't we close this issue?
            Show
            fbelzunc Félix Belzunce Arcos added a comment - This is an old issue from 08/Jul/11. More recents versions of the GitHub plugin has GitHubWebHookCrumbExclusion.java to avoid this issue. In Oct 24, 2013 the feature was added. Shouldn't we close this issue?
            Hide
            jglick Jesse Glick added a comment -

            If you can confirm that the issue existed but was since fixed, then go ahead and close as Fixed (or Duplicate, if you can find an original tracking issue).

            Show
            jglick Jesse Glick added a comment - If you can confirm that the issue existed but was since fixed, then go ahead and close as Fixed (or Duplicate, if you can find an original tracking issue).
            lanwen Kirill Merkushev made changes -
            Status Open [ 1 ] Closed [ 6 ]
            Resolution Fixed [ 1 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 140451 ] JNJira + In-Review [ 205213 ]

              People

              • Assignee:
                Unassigned
                Reporter:
                docwhat Christian Höltje
              • Votes:
                5 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: