Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34350

CSRF protection breaks POST to notifyCommit URL (GET is OK)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: git-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS 1.651.1
    • Similar Issues:

      Description

      CSRF breaks general commit hook actions, not just for Plugins. Since Kohsuke added the http://jenkins/git/notifyCommit?url= action to trigger a polling event, this kind of action is used generically outside of Github Plugin, e.g. projects using something other than Github. In my case, Gitlab, which has push hooks to generically trigger remote URLs.

      CSRF should have an exclusion for /git/notifyCommit

      See http://kohsuke.org/2011/12/01/polling-must-die-triggering-jenkins-builds-from-a-git-hook/
      See JENKINS-20140
      See JENKINS-10263

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          There's a CrumbExclusion extension point to handle exactly this case. Are you saying it doesn't work? Or why are you filing an issue with a Git Plugin URL against core?

          Show
          danielbeck Daniel Beck added a comment - There's a CrumbExclusion extension point to handle exactly this case. Are you saying it doesn't work? Or why are you filing an issue with a Git Plugin URL against core?
          Hide
          danielbeck Daniel Beck added a comment -

          Reassigned to Git Plugin as requested by jieryn

          Show
          danielbeck Daniel Beck added a comment - Reassigned to Git Plugin as requested by jieryn
          Hide
          markewaite Mark Waite added a comment - - edited

          I don't see any failure related to honoring http requests submitted to Jenkins through http://debian8.markwaite.net:8080/git/notifyCommit?url=myrepo . The fix seems simple enough, but I'd really like to see the code fail before I apply a fix.

          Steps I used to try to duplicate the problem:

          1. Run jenkins 2.0 from docker commit e77dae5
            docker run -p 8080:8080 -p 50000:50000 jenkins
            
          2. Install only the git plugin (assuming other plugins might inadvertently provide a CrumbExclusion)
          3. Configure a job which uses a git repo and polls SCM with no schedule
          4. Use curl to "prod" that server
            curl -s http://debian8.markwaite.net:8080/git/notifyCommit?url=git://mark-pc1.markwaite.net/git/mwaite/bin.git
            

          When I do that, the job is consistently started the first time (no build available), and on each change that I make to the test repository after I run that curl command. As far as I can tell, CSRF for the git/notfiyCommit is already excluded for Jenkins 2.0.

          Same behavior was seen with Jenkins 1.651.1 when I tested it.

          Show
          markewaite Mark Waite added a comment - - edited I don't see any failure related to honoring http requests submitted to Jenkins through http://debian8.markwaite.net:8080/git/notifyCommit?url=myrepo . The fix seems simple enough, but I'd really like to see the code fail before I apply a fix. Steps I used to try to duplicate the problem: Run jenkins 2.0 from docker commit e77dae5 docker run -p 8080:8080 -p 50000:50000 jenkins Install only the git plugin (assuming other plugins might inadvertently provide a CrumbExclusion) Configure a job which uses a git repo and polls SCM with no schedule Use curl to "prod" that server curl -s http: //debian8.markwaite.net:8080/git/notifyCommit?url=git://mark-pc1.markwaite.net/git/mwaite/bin.git When I do that, the job is consistently started the first time (no build available), and on each change that I make to the test repository after I run that curl command. As far as I can tell, CSRF for the git/notfiyCommit is already excluded for Jenkins 2.0. Same behavior was seen with Jenkins 1.651.1 when I tested it.
          Hide
          jieryn jieryn added a comment -

          Any chance for a rollback? Because we don't plan to migrate to 2.0 anytime soon.

          Show
          jieryn jieryn added a comment - Any chance for a rollback? Because we don't plan to migrate to 2.0 anytime soon.
          Hide
          markewaite Mark Waite added a comment - - edited

          jieryn I don't think there is anything to roll back. When I check the latest LTS release of Jenkins 1 (1.651.*), it behaved the same as Jenkins 2.0. In both cases, CSRF protection did not stop my jobs from being run when the notifyCommit was called.

          What Jenkins version are you running?

          Can you see anything different about how you're using notifyCommit in your environment, compared to how I used it in my test case (described above)?

          If you have different steps which show the failure, please include them in a comment and reopen this bug.

          Show
          markewaite Mark Waite added a comment - - edited jieryn I don't think there is anything to roll back. When I check the latest LTS release of Jenkins 1 (1.651.*), it behaved the same as Jenkins 2.0. In both cases, CSRF protection did not stop my jobs from being run when the notifyCommit was called. What Jenkins version are you running? Can you see anything different about how you're using notifyCommit in your environment, compared to how I used it in my test case (described above )? If you have different steps which show the failure, please include them in a comment and reopen this bug.
          Hide
          danielbeck Daniel Beck added a comment -

          What container is this running on? IIRC I've seen a case of a borked Tomcat config before that caused something similar to break.

          Show
          danielbeck Daniel Beck added a comment - What container is this running on? IIRC I've seen a case of a borked Tomcat config before that caused something similar to break.
          Hide
          ydubreuil Yoann Dubreuil added a comment -

          I was able to reproduce this on a vanilla 2.4 Jenkins install with just git plugin installed. Posting anything /git/notifyCommit fails with a CSRF error, I tried with that:

          curl -X POST http://localhost:8080/git/notifyCommit?url=http://example.org

          I was not able to find the CrumbExclusion filter you mentioned in the initial comment in Git Plugin code. Seems to be that notifications only work if sent through GET requests.

          Show
          ydubreuil Yoann Dubreuil added a comment - I was able to reproduce this on a vanilla 2.4 Jenkins install with just git plugin installed. Posting anything /git/notifyCommit fails with a CSRF error, I tried with that: curl -X POST http://localhost:8080/git/notifyCommit?url=http://example.org I was not able to find the CrumbExclusion filter you mentioned in the initial comment in Git Plugin code. Seems to be that notifications only work if sent through GET requests.
          Hide
          liskin Tomáš Janoušek added a comment -

          This is still reproducible with POST requests. This might help: https://github.com/jenkinsci/git-plugin/pull/491 (inspired by github-plugin)

          Show
          liskin Tomáš Janoušek added a comment - This is still reproducible with POST requests. This might help: https://github.com/jenkinsci/git-plugin/pull/491  (inspired by github-plugin)
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Tomas Janousek
          Path:
          src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java
          http://jenkins-ci.org/commit/git-plugin/8ac8cc9e89809132355d701586babb9c19f1b88c
          Log:
          JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on

          Inspired by
          https://github.com/jenkinsci/github-plugin/commit/5c2a04169171cb8e36da7ba39c4003aa318c74cb

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tomas Janousek Path: src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java http://jenkins-ci.org/commit/git-plugin/8ac8cc9e89809132355d701586babb9c19f1b88c Log: JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on Inspired by https://github.com/jenkinsci/github-plugin/commit/5c2a04169171cb8e36da7ba39c4003aa318c74cb
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Tomas Janousek
          Path:
          src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java
          http://jenkins-ci.org/commit/git-plugin/509e137bda520ccba3032ed66a08e5f7be2b5c45
          Log:
          JENKINS-34350 Add test for crumb exclusion on /git/notifyCommit

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Tomas Janousek Path: src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java http://jenkins-ci.org/commit/git-plugin/509e137bda520ccba3032ed66a08e5f7be2b5c45 Log: JENKINS-34350 Add test for crumb exclusion on /git/notifyCommit
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Mark Waite
          Path:
          src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java
          src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java
          http://jenkins-ci.org/commit/git-plugin/fd68967a4cb08ecfbcad47dce47943851f247bbf
          Log:
          Merge pull request #491 from liskin/JENKINS-34350-notifycommit-csrf

          JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on

          Compare: https://github.com/jenkinsci/git-plugin/compare/bc51d2790091...fd68967a4cb0

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/main/java/hudson/plugins/git/GitStatusCrumbExclusion.java src/test/java/hudson/plugins/git/GitStatusCrumbExclusionTest.java http://jenkins-ci.org/commit/git-plugin/fd68967a4cb08ecfbcad47dce47943851f247bbf Log: Merge pull request #491 from liskin/ JENKINS-34350 -notifycommit-csrf JENKINS-34350 Fix POST to /git/notifyCommit with CSRF protection on Compare: https://github.com/jenkinsci/git-plugin/compare/bc51d2790091...fd68967a4cb0
          Hide
          markewaite Mark Waite added a comment -

          Fixed in git plugin 3.3.1 released 23 Jun 2017

          Show
          markewaite Mark Waite added a comment - Fixed in git plugin 3.3.1 released 23 Jun 2017

            People

            • Assignee:
              Unassigned
              Reporter:
              jieryn jieryn
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: