Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61133

Github webhook override breaks CSRF exclusion

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • github-plugin
    • None
    • Jenkins 2.204.1 on Linux, Github plugin 1.29.5

      If you have CSRF checking turned on in Global Security Settings:

       

      And you have the Github webhook URL overridden in Jenkins Settings:

      Then each webhook payload will hit a CSRF error:

      I believe this is because the url /github-webhook is hardcoded in GitHubWebHookCrumbExclusion.java.

        1. image-2020-02-18-13-35-59-338.png
          image-2020-02-18-13-35-59-338.png
          152 kB
        2. image-2020-02-18-13-36-51-430.png
          image-2020-02-18-13-36-51-430.png
          45 kB
        3. image-2020-02-18-13-38-47-192.png
          image-2020-02-18-13-38-47-192.png
          36 kB

            lanwen Kirill Merkushev
            ewiner Eric Winer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: