Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Not A Defect
    • Component/s: core
    • Labels:
    • Environment:
      Jenkins 1.620 with nginx as proxy, SSL enabled.
    • Similar Issues:

      Description

      When trying to configure a new job, adding a new parameter using the drop-down results in a 403 error message being returned:

      403 No valid crumb was included in the request

      The logs show:

      WARNING: Found invalid crumb <CRUMB_ID>, <CRUMB_ID>. Will check remaining parameters for a valid one...
      Aug 14, 2015 5:32:06 PM hudson.security.csrf.CrumbFilter doFilter
      WARNING: No valid crumb was included in request for /jenkins//$stapler/bound/dd7670cf-db32-481d-b6f3-6fcdfde6e658/render. Returning 403.

      Curiously, when examining the request headers, the crumb is actually being duplicated:

      Crumb:<CRUMB_ID>, <CRUMB_ID>

      Which is what the logs indicate as well, and claims it's invalid.

      Steps to replicate:

      1. Go to the configuration of a job.
      2. Click on a drop-down like "Add Parameter"
      3. Choose a param type, and check request in network dev tools

      At the same time, this setup is also running into this bug when deleting projects:

      https://issues.jenkins-ci.org/browse/JENKINS-18032

      Not sure if they are related.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Michael Warkentin No idea. Maybe a plugin you installed? A user-script in your browser?

          Show
          danielbeck Daniel Beck added a comment - Michael Warkentin No idea. Maybe a plugin you installed? A user-script in your browser?
          Hide
          dzwarg David Zwarg added a comment -

          Encountering the same problem. "deadbeef" is the sanitized version of my crumb in all cases below.

          I'm using Postman to test requests. In one tab, I get a crumb:

          GET https://(jenkins)/crumbIssuer/api/xml?xpath=//crumb
          
          ---
          <crumb>deadbeef</crumb>
          

          Then I use that identical crumb to issue a request (in this case, to a pipeline input):

          POST https://(jenkins)/job/(pipeline name)/(job number)/input/(input id)/submit
          Jenkins-Crumb=deadbeef
          
          proceed=Proceed
          
          ---
          HTTP 403
          Title: Error 403 No valid crumb was included in the request
          

          And I can verify that the crumb is being passed through all proxies to get there. In the logs, I can see the crumb:

          Nov 18, 2016 2:35:36 PM WARNING hudson.security.csrf.CrumbFilter doFilter
          Found invalid crumb deadbeef.  Will check remaining parameters for a valid one...
          Nov 18, 2016 2:35:36 PM WARNING hudson.security.csrf.CrumbFilter doFilter
          No valid crumb was included in request for /job/(pipeline name)/(job number)/input/(input id)/submit. Returning 403.
          

          I can verify that if I omit the crumb, the error doesn't mention anything about invalid crumbs:

          Nov 18, 2016 2:38:26 PM WARNING hudson.security.csrf.CrumbFilter doFilter
          No valid crumb was included in request for /job/(pipeline name)/(job number)/input/(input id)/submit. Returning 403.
          

          Please advise.

          Show
          dzwarg David Zwarg added a comment - Encountering the same problem. "deadbeef" is the sanitized version of my crumb in all cases below. I'm using Postman to test requests. In one tab, I get a crumb: GET https: //(jenkins)/crumbIssuer/api/xml?xpath=//crumb --- <crumb>deadbeef</crumb> Then I use that identical crumb to issue a request (in this case, to a pipeline input): POST https: //(jenkins)/job/(pipeline name)/(job number)/input/(input id)/submit Jenkins-Crumb=deadbeef proceed=Proceed --- HTTP 403 Title: Error 403 No valid crumb was included in the request And I can verify that the crumb is being passed through all proxies to get there. In the logs, I can see the crumb: Nov 18, 2016 2:35:36 PM WARNING hudson.security.csrf.CrumbFilter doFilter Found invalid crumb deadbeef. Will check remaining parameters for a valid one... Nov 18, 2016 2:35:36 PM WARNING hudson.security.csrf.CrumbFilter doFilter No valid crumb was included in request for /job/(pipeline name)/(job number)/input/(input id)/submit. Returning 403. I can verify that if I omit the crumb, the error doesn't mention anything about invalid crumbs: Nov 18, 2016 2:38:26 PM WARNING hudson.security.csrf.CrumbFilter doFilter No valid crumb was included in request for /job/(pipeline name)/(job number)/input/(input id)/submit. Returning 403. Please advise.
          Hide
          dzwarg David Zwarg added a comment -

          Okay, I hope this will help someone in the future. After much experimentation (and red herrings by reading the logs), I discovered that I had to log in with my credentials (using Basic Auth) to make the request work. Also, I needed to submit it like a form, not url encoded. The full request that worked is:

          POST /job/(job name)/(job number)/input/(input id)/proceedEmpty HTTP/1.1
          Host: (jenkins)
          Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBUILDR4EVA
          Jenkins-Crumb: deadbeef
          Authorization: Basic (encoded "username:password")
          
          ------WebKitFormBoundaryBUILDR4EVA
          Content-Disposition: form-data; name="proceed"
          
          Proceed
          ------WebKitFormBoundaryBUILDR4EVA
          
          Show
          dzwarg David Zwarg added a comment - Okay, I hope this will help someone in the future. After much experimentation (and red herrings by reading the logs), I discovered that I had to log in with my credentials (using Basic Auth) to make the request work. Also, I needed to submit it like a form, not url encoded. The full request that worked is: POST /job/(job name)/(job number)/input/(input id)/proceedEmpty HTTP/1.1 Host: (jenkins) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBUILDR4EVA Jenkins-Crumb: deadbeef Authorization: Basic (encoded "username:password" ) ------WebKitFormBoundaryBUILDR4EVA Content-Disposition: form-data; name= "proceed" Proceed ------WebKitFormBoundaryBUILDR4EVA
          Hide
          sajjsfarahani Sajj Farahani added a comment -

          I still have this issue. Any Idea how I may fix this? I saw David Zwarg response. However, I am new to Jenkins and that response does not make much sense to me. Any assistance will be greatly appreciated.

          Show
          sajjsfarahani Sajj Farahani added a comment - I still have this issue. Any Idea how I may fix this? I saw David Zwarg response. However, I am new to Jenkins and that response does not make much sense to me. Any assistance will be greatly appreciated.
          Hide
          danielbeck Daniel Beck added a comment -

          Michael Warkentin's problem was a custom crumb name.

          David Zwarg's seems to be that he's using a user-specific crumb as a different user (anonymous), basically showing that the protection works as intended.

          Given the age of this issue, and the multiple issues brought up in the comment, please leave this issue closed and just file a new one if you encounter crumb-related issues. Thanks.

          Show
          danielbeck Daniel Beck added a comment - Michael Warkentin 's problem was a custom crumb name. David Zwarg 's seems to be that he's using a user-specific crumb as a different user (anonymous), basically showing that the protection works as intended. Given the age of this issue, and the multiple issues brought up in the comment, please leave this issue closed and just file a new one if you encounter crumb-related issues. Thanks.

            People

            • Assignee:
              Unassigned
              Reporter:
              hany Hany Fahim
            • Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: