Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34350

CSRF protection breaks POST to notifyCommit URL (GET is OK)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: git-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS 1.651.1
    • Similar Issues:

      Description

      CSRF breaks general commit hook actions, not just for Plugins. Since Kohsuke added the http://jenkins/git/notifyCommit?url= action to trigger a polling event, this kind of action is used generically outside of Github Plugin, e.g. projects using something other than Github. In my case, Gitlab, which has push hooks to generically trigger remote URLs.

      CSRF should have an exclusion for /git/notifyCommit

      See http://kohsuke.org/2011/12/01/polling-must-die-triggering-jenkins-builds-from-a-git-hook/
      See JENKINS-20140
      See JENKINS-10263

        Attachments

          Activity

          Hide
          liskin Tomáš Janoušek added a comment -

          This is still reproducible with POST requests. This might help: https://github.com/jenkinsci/git-plugin/pull/491 (inspired by github-plugin)

          Show
          liskin Tomáš Janoušek added a comment - This is still reproducible with POST requests. This might help: https://github.com/jenkinsci/git-plugin/pull/491  (inspired by github-plugin)
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Tomas Janousek
          Path:
          src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java
          http://jenkins-ci.org/commit/git-plugin/8ac8cc9e89809132355d701586babb9c19f1b88c
          Log:
          JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on

          Inspired by
          https://github.com/jenkinsci/github-plugin/commit/5c2a04169171cb8e36da7ba39c4003aa318c74cb

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tomas Janousek Path: src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java http://jenkins-ci.org/commit/git-plugin/8ac8cc9e89809132355d701586babb9c19f1b88c Log: JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on Inspired by https://github.com/jenkinsci/github-plugin/commit/5c2a04169171cb8e36da7ba39c4003aa318c74cb
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Tomas Janousek
          Path:
          src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java
          http://jenkins-ci.org/commit/git-plugin/509e137bda520ccba3032ed66a08e5f7be2b5c45
          Log:
          JENKINS-34350 Add test for crumb exclusion on /git/notifyCommit

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tomas Janousek Path: src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java http://jenkins-ci.org/commit/git-plugin/509e137bda520ccba3032ed66a08e5f7be2b5c45 Log: JENKINS-34350 Add test for crumb exclusion on /git/notifyCommit
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Mark Waite
          Path:
          src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java
          src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java
          http://jenkins-ci.org/commit/git-plugin/fd68967a4cb08ecfbcad47dce47943851f247bbf
          Log:
          Merge pull request #491 from liskin/JENKINS-34350-notifycommit-csrf

          JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on

          Compare: https://github.com/jenkinsci/git-plugin/compare/bc51d2790091...fd68967a4cb0

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java http://jenkins-ci.org/commit/git-plugin/fd68967a4cb08ecfbcad47dce47943851f247bbf Log: Merge pull request #491 from liskin/ JENKINS-34350 -notifycommit-csrf JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on Compare: https://github.com/jenkinsci/git-plugin/compare/bc51d2790091...fd68967a4cb0
          Hide
          markewaite Mark Waite added a comment -

          Fixed in git plugin 3.3.1 released 23 Jun 2017

          Show
          markewaite Mark Waite added a comment - Fixed in git plugin 3.3.1 released 23 Jun 2017

            People

            • Assignee:
              Unassigned
              Reporter:
              jieryn jieryn
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: