[JIRA] [git-plugin] (JENKINS-33878) "Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled

[kneunert@gmail.com (JIRA)]

Kim Neunert created an issue

Jenkins / JENKINS-33878 "Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled Issue Type: Bug Assignee: Mark Waite Components: git-plugin Created: 2016/Mar/29 3:56 PM Priority: Minor Reporter: Kim Neunert This is very parallel then JENKINS-20140 but for the git-plugin. Might be that even the solution is very similiar which is implementing an CrumbExclusion: https://github.com/jenkinsci/github-plugin/commit/5c2a04169171cb8e36da7ba39c4003aa318c74cb I'm using 2.3.1 of the git-plugin and Version 1.596.2 of jenkins. Yes, i know this is quite old however the issue is with the gitplugin which is not that much newer (currently 2.3.5). Some comments/confirmations would be fine. Maybe even some implementation-hints so that i can fix that myself. Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite commented on JENKINS-33878

Re: "Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled I can't duplicate the problem you're reporting. I enabled CSRF protection using the default crumb issuer with Jenkins 1.643.3, git client plugin 1.19.6 and git plugin 2.4.4, then confirmed that I was still able to use the notifyCommit URL (http://localhost:8080/notifyCommit?url=my-url-to-git-repo) to trigger new builds. The git plugin wiki page mentions "Push notification from repository" and then describes how the notifyCommit URL is used to start builds without requiring that Jenkins poll the remote repository. That's what I tested and confirmed is working as I expected. Is there a proxy between your Jenkins server and the server that is generation the HTML requests to the notifyCommit URL? If so, then you may need to check the proxy support box on the CSRF configuration. I also don't understand your comment:

Yes, i know this is quite old however the issue is with the gitplugin which is not that much newer (currently 2.3.5)

The latest version of the git plugin is 2.4.4. Any idea why you're not seeing more recent versions of the plugin? Are you using a private update center, or some other technique that prevents you from seeing the latest plugins?

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite assigned an issue to Unassigned

Jenkins / JENKINS-33878

"Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled

Change By: Mark Waite Assignee: Mark Waite

Add Comment

[kneunert@gmail.com (JIRA)]

Kim Neunert commented on JENKINS-33878

Re: "Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled I should have been more specific. The issue occurs, if you do a post-request. Something like this: $ curl -X POST http://somejenkins.somewhere/git/notifyCommit\?url\=ssh://g...@some.stash.repo:7999/dist/somerepo.git <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 403 No valid crumb was included in the request</title> </head> <body><h2>HTTP ERROR 403</h2> <p>Problem accessing /git/notifyCommit. Reason: <pre> No valid crumb was included in the request</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> </body> </html> $ Seems to make a difference of the http-method for some reason: https://github.com/jenkinsci/jenkins/blob/4107d86328e907a34e23b09f21cd86340ae137ea/core/src/main/java/hudson/security/csrf/CrumbFilter.java#L56 And unfortunately, Atlassian stash's implementation of webhooks is using POST, not GET.

Add Comment

[kneunert@gmail.com (JIRA)]

Kim Neunert commented on JENKINS-33878

Re: "Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled

I just tested the Bitbucket Webhook to Jenkins which probably is doing a "proper" GET-request. https://marketplace.atlassian.com/plugins/com.nerdwin15.stash-stash-webhook-jenkins/server/overview This fixes it for me. So eventually, this is caused by a misuse of the POST-request.

Add Comment

[kneunert@gmail.com (JIRA)]

Kim Neunert edited a comment on JENKINS-33878

Re: "Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled

I just tested the Bitbucket Webhook to Jenkins which probably is doing a "proper" GET-request. https://marketplace.atlassian.com/plugins/com.nerdwin15.stash-stash-webhook-jenkins/server/overview This fixes it for me. So eventually, this is caused by a misuse of the POST-request.

Not sure what a proper resolution of this script is, feel free to close.

Add Comment

[mark.earl.waite@gmail.com (JIRA)]

Mark Waite closed an issue as Won't Fix

Jenkins / JENKINS-33878

"Push notification from repository" does not work unless "Prevent Cross Site Request Forgery exploits" is disabled

Change By: Mark Waite Status: Open Closed Resolution: Won't Fix

Add Comment