Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33878

"Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Fix
    • Component/s: git-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      This is very parallel then JENKINS-20140 but for the git-plugin. Might be that even the solution is very similiar which is implementing an CrumbExclusion:
      https://github.com/jenkinsci/github-plugin/commit/5c2a04169171cb8e36da7ba39c4003aa318c74cb

      I'm using 2.3.1 of the git-plugin and Version 1.596.2 of jenkins. Yes, i know this is quite old however the issue is with the gitplugin which is not that much newer (currently 2.3.5).

      Some comments/confirmations would be fine. Maybe even some implementation-hints so that i can fix that myself.

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment -

          I can't duplicate the problem you're reporting. I enabled CSRF protection using the default crumb issuer with Jenkins 1.643.3, git client plugin 1.19.6 and git plugin 2.4.4, then confirmed that I was still able to use the notifyCommit URL (http://localhost:8080/notifyCommit?url=my-url-to-git-repo) to trigger new builds.

          The git plugin wiki page mentions "Push notification from repository" and then describes how the notifyCommit URL is used to start builds without requiring that Jenkins poll the remote repository. That's what I tested and confirmed is working as I expected.

          Is there a proxy between your Jenkins server and the server that is generation the HTML requests to the notifyCommit URL? If so, then you may need to check the proxy support box on the CSRF configuration.

          I also don't understand your comment:

          Yes, i know this is quite old however the issue is with the gitplugin which is not that much newer (currently 2.3.5)

          The latest version of the git plugin is 2.4.4. Any idea why you're not seeing more recent versions of the plugin? Are you using a private update center, or some other technique that prevents you from seeing the latest plugins?

          Show
          markewaite Mark Waite added a comment - I can't duplicate the problem you're reporting. I enabled CSRF protection using the default crumb issuer with Jenkins 1.643.3, git client plugin 1.19.6 and git plugin 2.4.4, then confirmed that I was still able to use the notifyCommit URL ( http://localhost:8080/notifyCommit?url=my-url-to-git-repo ) to trigger new builds. The git plugin wiki page mentions "Push notification from repository" and then describes how the notifyCommit URL is used to start builds without requiring that Jenkins poll the remote repository. That's what I tested and confirmed is working as I expected. Is there a proxy between your Jenkins server and the server that is generation the HTML requests to the notifyCommit URL? If so, then you may need to check the proxy support box on the CSRF configuration. I also don't understand your comment: Yes, i know this is quite old however the issue is with the gitplugin which is not that much newer (currently 2.3.5) The latest version of the git plugin is 2.4.4. Any idea why you're not seeing more recent versions of the plugin? Are you using a private update center, or some other technique that prevents you from seeing the latest plugins?
          Hide
          k9ert Kim Neunert added a comment -

          I should have been more specific. The issue occurs, if you do a post-request. Something like this:

          $ curl -X POST http://somejenkins.somewhere/git/notifyCommit\?url\=ssh://git@some.stash.repo:7999/dist/somerepo.git
          <html>
          <head>
          <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
          <title>Error 403 No valid crumb was included in the request</title>
          </head>
          <body><h2>HTTP ERROR 403</h2>
          <p>Problem accessing /git/notifyCommit. Reason:
          <pre>    No valid crumb was included in the request</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          <br/>                                                
          
          </body>
          </html>
          $
          

          Seems to make a difference of the http-method for some reason:
          https://github.com/jenkinsci/jenkins/blob/4107d86328e907a34e23b09f21cd86340ae137ea/core/src/main/java/hudson/security/csrf/CrumbFilter.java#L56

          And unfortunately, Atlassian stash's implementation of webhooks is using POST, not GET.

          Show
          k9ert Kim Neunert added a comment - I should have been more specific. The issue occurs, if you do a post-request. Something like this: $ curl -X POST http: //somejenkins.somewhere/git/notifyCommit\?url\=ssh://git@some.stash.repo:7999/dist/somerepo.git <html> <head> <meta http-equiv= "Content-Type" content= "text/html; charset=ISO-8859-1" /> <title>Error 403 No valid crumb was included in the request</title> </head> <body><h2>HTTP ERROR 403</h2> <p>Problem accessing /git/notifyCommit. Reason: <pre> No valid crumb was included in the request</pre></p><hr /><i><small>Powered by Jetty: //</small></i><br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> </body> </html> $ Seems to make a difference of the http-method for some reason: https://github.com/jenkinsci/jenkins/blob/4107d86328e907a34e23b09f21cd86340ae137ea/core/src/main/java/hudson/security/csrf/CrumbFilter.java#L56 And unfortunately, Atlassian stash's implementation of webhooks is using POST, not GET.
          Hide
          k9ert Kim Neunert added a comment - - edited

          I just tested the Bitbucket Webhook to Jenkins which probably is doing a "proper" GET-request.
          https://marketplace.atlassian.com/plugins/com.nerdwin15.stash-stash-webhook-jenkins/server/overview

          This fixes it for me. So eventually, this is caused by a misuse of the POST-request.

          Not sure what a proper resolution of this script is, feel free to close.

          Show
          k9ert Kim Neunert added a comment - - edited I just tested the Bitbucket Webhook to Jenkins which probably is doing a "proper" GET-request. https://marketplace.atlassian.com/plugins/com.nerdwin15.stash-stash-webhook-jenkins/server/overview This fixes it for me. So eventually, this is caused by a misuse of the POST-request. Not sure what a proper resolution of this script is, feel free to close.

            People

            • Assignee:
              Unassigned
              Reporter:
              k9ert Kim Neunert
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: