[JIRA] (JENKINS-59219) Found invalid crumb

kent.granstrom@comhem.se (JIRA)

unread,

Sep 4, 2019, 4:53:02 AM9/4/19

to jenkinsc...@googlegroups.com

Kent Granström created an issue

Jenkins /

JENKINS-59219

Found invalid crumb

Issue Type:	Bug
Assignee:	Unassigned
Components:	core
Created:	2019-09-04 08:51
Environment:	Windows 2016 server Jenkins 2.193 pull-request-notifier-for-bitbucket 4.1 Bitbucket 6.4.0
Priority:	Critical
Reporter:	Kent Granström

After upgrading Jenkins from 2.189 to 2.193 due to security issues none of the jobs I have setup in jenkins to be triggered by the pull-request-notifier is started. There are 2 options the way I see it:

some of the changes in Jenkins is breaking this plugin, or
implentation in Jenkins doesn't work as intended.

None of the configurations of the 20+ jobs I have that is triggered by this plugin have changed.

Extract from log:
2019-09-04 08:22:33.903+0000 [id=35] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb e55f02079f26ceaa8d7751f38e119adeea156a549c169642bdeeafb4029b0317. Will check remaining parameters for a valid one...
2019-09-04 08:22:33.903+0000 [id=35] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /job/PKING-pm/buildWithParameters by jenkins. Returning 403.

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

kent.granstrom@comhem.se (JIRA)

unread,

Sep 4, 2019, 5:23:02 AM9/4/19

to jenkinsc...@googlegroups.com

Kent Granström updated an issue

Jenkins /

JENKINS-59219

Found invalid crumb

Change By:	Kent Granström

After upgrading Jenkins from 2.189 to 2.193 due to security issues *none* of the jobs I have setup in jenkins to be triggered by the pull-request-notifier is started. There are 2 options the way I see it:
# some of the changes in Jenkins is breaking this the notifier- plugin in Bitbucket , or
# the implentation in Jenkins doesn't work as intended.

None of the configurations of the 20+ jobs I have that is triggered by this plugin have changed.

Extract from log:
2019-09-04 08:22:33.903+0000 [id=35] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb e55f02079f26ceaa8d7751f38e119adeea156a549c169642bdeeafb4029b0317. Will check remaining parameters for a valid one...
2019-09-04 08:22:33.903+0000 [id=35] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /job/PKING-pm/buildWithParameters by jenkins. Returning 403.

Add Comment

dbeck@cloudbees.com (JIRA)

unread,

Sep 4, 2019, 9:11:06 AM9/4/19

to jenkinsc...@googlegroups.com

Daniel Beck closed an issue as Not A Defect

I don't know what pull-request-notifier is, but it's almost certainly a problem of a long-living, static crumb configured in the client, something no longer supported unless a compatibility option is set as described in the LTS upgrade guide referenced from the security advisory.

Closing as this doesn't show there's anything wrong with Jenkins; we explicitly no longer support some use cases with long living crumbs.

Jenkins /

JENKINS-59219

Found invalid crumb

Change By:	Daniel Beck
Status:	Open Closed
Resolution:	Not A Defect

Add Comment

kent.granstrom@comhem.se (JIRA)

unread,

Sep 4, 2019, 9:44:02 AM9/4/19

to jenkinsc...@googlegroups.com

Kent Granström commented on

JENKINS-59219

Re: Found invalid crumb

@daniel beck, that's rather cheaky since we have had to roll back to 2.189. The plugin asks for a crumb for each and ever call so it must me a valid case. Can you Plz take a look at the pull-request-notifier-for-bitbucket and/or talk to the developer since there must be something wrong in either side. After going back to 2.189 it works again.

Add Comment

dbeck@cloudbees.com (JIRA)

unread,

Sep 4, 2019, 10:03:01 AM9/4/19

to jenkinsc...@googlegroups.com

Daniel Beck commented on

JENKINS-59219

Re: Found invalid crumb

Based on the behavior described in https://github.com/tomasbjerre/pull-request-notifier-for-bitbucket/blob/a66210fb34fbc46a8a67da437e060d20681761c6/README_jenkins.md and from what I guess https://github.com/tomasbjerre/pull-request-notifier-for-bitbucket/blob/c8cb7b1d6f4dcb8e6225ab54329c81b6d4d198b4/src/main/java/se/bjurr/prnfb/service/PrnfbVariable.java#L142...L204 does, it looks like the client obtains a crumb, but does not retain the session ID.

As documented in the security advisory, we implemented the expiration of crumbs by binding them to the HTTP session, and if two subsequent requests, one for a crumb, and another to perform an action, do not use the same session cookie, they will fail. This is expected behavior.

As a workaround, you should be able to install the strict-crumb-issuer plugin and configure it to not check the session ID, but only do time-based expiration.

Add Comment

kent.granstrom@comhem.se (JIRA)

unread,

Sep 4, 2019, 3:10:02 PM9/4/19

to jenkinsc...@googlegroups.com

Kent Granström commented on

JENKINS-59219

Re: Found invalid crumb

@Daniel Beck. Thanks. I have written an issue pointing towards the plugin.

Add Comment

Reply all

Reply to author

Forward