Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34350

CSRF protection breaks POST to notifyCommit URL (GET is OK)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: git-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS 1.651.1
    • Similar Issues:

      Description

      CSRF breaks general commit hook actions, not just for Plugins. Since Kohsuke added the http://jenkins/git/notifyCommit?url= action to trigger a polling event, this kind of action is used generically outside of Github Plugin, e.g. projects using something other than Github. In my case, Gitlab, which has push hooks to generically trigger remote URLs.

      CSRF should have an exclusion for /git/notifyCommit

      See http://kohsuke.org/2011/12/01/polling-must-die-triggering-jenkins-builds-from-a-git-hook/
      See JENKINS-20140
      See JENKINS-10263

        Attachments

          Activity

          jieryn jieryn created issue -
          danielbeck Daniel Beck made changes -
          Field Original Value New Value
          Component/s git-plugin [ 15543 ]
          Component/s core [ 15593 ]
          danielbeck Daniel Beck made changes -
          Assignee Mark Waite [ markewaite ]
          markewaite Mark Waite made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Cannot Reproduce [ 5 ]
          markewaite Mark Waite made changes -
          Comment [ It appears that the recommendation from [~jglick] in a [comment|https://issues.jenkins-ci.org/browse/JENKINS-10263?focusedCommentId=210374&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-210374] to JENKINS-10263 was implemented in Jenkins 2.0 and in Jenkins 1.651.1 to cause all 'UnprotectedRootAction' to automatically have a CrumbExclusion.

          I tried the same steps with Jenkins 1.651.1 and was able to confirm that the request to git/notifyCommit is honored if CSRF protection is enabled. The steps I took to show the problem with Jenkins 1.651.1 were:

          # Run jenkins 1.651.1 from docker
          {code}
          docker run -p 8080:8080 -p 50000:50000 jenkins:1.651.1
          {code}
          # Enable CSRF protection from "Manage Jenkins", "Configure Global Security", "Prevent Cross Site Request Forgery exploits", and enable "Default crumb issuer"
          # Configure a job which uses a git repo and has "Poll SCM" enabled with no schedule
          # Use curl to "prod" that server
          {code}
          curl -s http://debian8:8080/git/notifyCommit?url=git://mark-pc1.markwaite.net/git/mwaite/bin.git
          {code}
          # Confirmed that the job ran even though CSRF protection was enabled

          When I do that, the job starts on initial poll (before the job exists) and on changes to the repository (so long as the notifyCommit is called). ]
          markewaite Mark Waite made changes -
          Comment [ It appears that the recommendation from [~jglick] in a [comment|https://issues.jenkins-ci.org/browse/JENKINS-10263?focusedCommentId=210374&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-210374] to JENKINS-10263 was implemented in Jenkins 2.0 to cause all 'UnprotectedRootAction' to automatically have a CrumbExclusion.

          I tried the same steps with Jenkins 1.651.1 and was able to confirm that the request to git/notifyCommit is ignored if CSRF protection is enabled. The steps I took to show the problem with Jenkins 1.651.1 were:

          # Run jenkins 1.651.1 from docker
          {code}
          docker run -p 8080:8080 -p 50000:50000 jenkins:1.651.1
          {code}
          # Enable CSRF protection from "Manage Jenkins", "Configure Global Security", "Prevent Cross Site Request Forgery exploits", and enable "Default crumb issuer"
          # Configure a job which uses a git repo and has "Poll SCM" enabled with no schedule
          # Use curl to "prod" that server
          {code}
          curl -s http://debian8:8080/git/notifyCommit?url=git://mark-pc1.markwaite.net/git/mwaite/bin.git
          {code}

          When I do that, the job does not start. ]
          markewaite Mark Waite made changes -
          Comment [ [~ydubreuil] that is the first I've seen anyone use a POST with the notifyCommit URL. That URL seems (at least to me) like a clear use of GET. Is there a specific reason you used -X POST instead of using the curl defaults?

          You're correct that there is no CrumbExclusion in the git plugin. I didn't find one when I looked, and didn't add one. I wanted to confirm that it would be useful and have the desired affect before I added one. I couldn't find any case where the notifyCommit URL was rejected for lack of a crumb. It uses GET in the original blog posting, and in all the examples I've seen except yours. ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 170444 ] JNJira + In-Review [ 198867 ]
          liskin Tomáš Janoušek made changes -
          Resolution Cannot Reproduce [ 5 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          markewaite Mark Waite made changes -
          Assignee Mark Waite [ markewaite ]
          markewaite Mark Waite made changes -
          Summary CSRF breaks generic polling skipper /git/notifyCommit?url= CSRF protection breaks POST to notifyCommit URL (GET is OK)
          markewaite Mark Waite made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          markewaite Mark Waite made changes -
          Comment [ Planned to be fixed in git plugin 3.3.1, likely release by 12 Jun 2017 ]

            People

            • Assignee:
              Unassigned
              Reporter:
              jieryn jieryn
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: