Problems with CSRF protection in Jenkins 2.85
564 views
Skip to first unread message
marti...@nsn.com
Nov 6, 2017, 11:40:35 AM11/6/17
to Jenkins Users
Hello,
after the update to Jenkins 2.85, CI now "complains":
"You have not configured the CSRF issuer. This could be a security issue. For more information, please refer to this page.
You can change the current configuration using the Security section CSRF Protection."
So I tried to enable the CSRF protection. But now I fail to get my 'wget'-calls to the API to work with it.
How do I need to hand the crumb (in what format) to a wget call to e.g. upload a job file to my CI ?
Here is what I tried:
# get the brumb
> wget http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml -o out --output-document ooooo --user="random" --password="foobar"
> less ooooo
<defaultCrumbIssuer _class='hudson.security.csrf.DefaultCrumbIssuer'><crumb>1dd7db5ac04440f3c6f2e0b007d9afdb</crumb><crumbRequestField>Jenkins-Crumb</crumbRequestField></defaultCrumbIssuer>
# user/password + crumb as "Jenkins-Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 14:59:55-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 14:59:55 ERROR 403: No valid crumb was included in the request.
# No password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:18:54-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:18:54 ERROR 403: Forbidden.
# No user/password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:06-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:19:06 ERROR 403: Forbidden.
# user/password + crumb as "Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:19-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:19 ERROR 403: No valid crumb was included in the request.
# same, but 'crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:24-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:24 ERROR 403: No valid crumb was included in the request.
# same, but '.crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header=".crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:30-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:30 ERROR 403: No valid crumb was included in the request.
> wget --output-document ooooo --user="random" --password="foobar" 'http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
--2017-10-30 15:28:52-- http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)
Resolving ullteb105.emea.nsn-net.net... 10.159.34.240
Connecting to ullteb105.emea.nsn-net.net|10.159.34.240|:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46 [text/plain]
Saving to: ooooo
100%[==========================================================================================================================================>] 46 --.-K/s in 0s
2017-10-30 15:28:52 (8.47 MB/s) - ooooo saved [46/46]
> less ooooo
Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb
# ok, so it is Jenkins-Crumb ?
# And the crumb itself stayed the same, so it is no timing issue (so far)
# I think I understood the crumb is a MD5 over user + password + some salt
# ok, then "Jenkins-Crumb" - no luck too
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:29:37-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:29:37 ERROR 403: No valid crumb was included in the request.
Regards
Martin
after the update to Jenkins 2.85, CI now "complains":
"You have not configured the CSRF issuer. This could be a security issue. For more information, please refer to this page.
You can change the current configuration using the Security section CSRF Protection."
So I tried to enable the CSRF protection. But now I fail to get my 'wget'-calls to the API to work with it.
How do I need to hand the crumb (in what format) to a wget call to e.g. upload a job file to my CI ?
Here is what I tried:
# get the brumb
> wget http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml -o out --output-document ooooo --user="random" --password="foobar"
> less ooooo
<defaultCrumbIssuer _class='hudson.security.csrf.DefaultCrumbIssuer'><crumb>1dd7db5ac04440f3c6f2e0b007d9afdb</crumb><crumbRequestField>Jenkins-Crumb</crumbRequestField></defaultCrumbIssuer>
# user/password + crumb as "Jenkins-Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 14:59:55-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 14:59:55 ERROR 403: No valid crumb was included in the request.
# No password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:18:54-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:18:54 ERROR 403: Forbidden.
# No user/password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:06-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:19:06 ERROR 403: Forbidden.
# user/password + crumb as "Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:19-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:19 ERROR 403: No valid crumb was included in the request.
# same, but 'crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:24-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:24 ERROR 403: No valid crumb was included in the request.
# same, but '.crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header=".crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:30-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:30 ERROR 403: No valid crumb was included in the request.
> wget --output-document ooooo --user="random" --password="foobar" 'http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
--2017-10-30 15:28:52-- http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)
Resolving ullteb105.emea.nsn-net.net... 10.159.34.240
Connecting to ullteb105.emea.nsn-net.net|10.159.34.240|:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46 [text/plain]
Saving to: ooooo
100%[==========================================================================================================================================>] 46 --.-K/s in 0s
2017-10-30 15:28:52 (8.47 MB/s) - ooooo saved [46/46]
> less ooooo
Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb
# ok, so it is Jenkins-Crumb ?
# And the crumb itself stayed the same, so it is no timing issue (so far)
# I think I understood the crumb is a MD5 over user + password + some salt
# ok, then "Jenkins-Crumb" - no luck too
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:29:37-- http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:29:37 ERROR 403: No valid crumb was included in the request.
Regards
Martin
Marti...@nsn.com
Nov 22, 2017, 10:54:57 AM11/22/17
to Jenkins Users
Hello,
ok, answer to my own mail...
Martin
No I just would need to know, that the error messages in the log mean, when I switch CSRF on....
ok, answer to my own mail...
The rules seem to be:
- Use
“curl -s 'http://<user>:<PWD>@<machine>:<port>/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' && echo”
to get the Crumb - The Crumb gets returned, ready to use:
“Jenkins-Crumb:30….b”
Exactly this need to be handed in. - “curl -u ‘<user>:<PWD>' …” doesn’t work, while “curl -s 'http://<user>:<PWD>@....” does
- The hostname gets hashed into the Crumb
returned (So the Crumb changes between aliases for the same machine name
(physical/logical/forward from standby master) )
So it is important to use the same machine name (physical/logical/forward from standby master) on all calls - As to this finding and the documentation,
the crumb is constructed from.
(So this means, it shouldn’t change over time (modulo Jenkins updates ?)) - Hostname
- Username
- Password (It seems API-Token and Password are somehow mapped ?)
- A Salt
- Both the API-token, as well as the
password can be used (same syntax, just use PWD or token)
Both lead to the same Crumb returned
Then what is this token about ? - The wget call can use
wget … --user=jm0 --password=<PWD> … --header='Jenkins-Crumb:30430………………71b'
or
wget http://jm0:PW@... --header='Jenkins-Crumb:30430………………71b'
both work with the crumb
Martin
No I just would need to know, that the error messages in the log mean, when I switch CSRF on....
Daniel Beck
Nov 23, 2017, 6:53:32 AM11/23/17
to jenkins...@googlegroups.com
> On 22. Nov 2017, at 16:48, marti...@nsn.com wrote:
>
> • Both the API-token, as well as the password can be used (same syntax, just use PWD or token)
> Both lead to the same Crumb returned
> Then what is this token about ?
Depending on the environment, putting passwords into scripts might not be a reasonable solution to scripting Jenkins via its remote ("REST") API.
> Then what is this token about ?
Reply all
Reply to author
Forward
0 new messages