Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37149

Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

    Details

    • Similar Issues:

      Description

      Thanks for making a plugin to support the Gogs git self-hosting service!

      When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

      Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin ( https://github.com/jenkinsci/github-plugin/commit/5c2a041 )? That would allow us to leave CSRF protection enabled and still get working webhooks.

        Attachments

          Activity

          Hide
          nrclark Nick Clark added a comment - - edited

          1.0.3 doesn't look like it works for me.

          Is it possible something got messed up in the 1.0.3 commit? GogsWebHookCrumbExclusion.java looks like it's an empty file.

          Show
          nrclark Nick Clark added a comment - - edited 1.0.3 doesn't look like it works for me. Is it possible something got messed up in the 1.0.3 commit? GogsWebHookCrumbExclusion.java looks like it's an empty file.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Alexander Verhaar
          Path:
          src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java
          http://jenkins-ci.org/commit/gogs-webhook-plugin/c5bec4c70f1db75e535682a6c438b301555732ad
          Log:
          [FIXED JENKINS-37149] Added CSRF protection

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alexander Verhaar Path: src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java http://jenkins-ci.org/commit/gogs-webhook-plugin/c5bec4c70f1db75e535682a6c438b301555732ad Log: [FIXED JENKINS-37149] Added CSRF protection
          Hide
          sanderv43 sander v added a comment -

          Sorry for the inconvenience, but now it should be fixed in the repo and you can try to download version 1.0.4 from here.

          Show
          sanderv43 sander v added a comment - Sorry for the inconvenience, but now it should be fixed in the repo and you can try to download version 1.0.4 from here .
          Hide
          nrclark Nick Clark added a comment -

          1.0.4 works great! Thanks for the speedy turn-around!!

          Show
          nrclark Nick Clark added a comment - 1.0.4 works great! Thanks for the speedy turn-around!!
          Hide
          sanderv43 sander v added a comment -

          No problem

          Show
          sanderv43 sander v added a comment - No problem

            People

            • Assignee:
              sanderv43 sander v
              Reporter:
              nrclark Nick Clark
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: