[JIRA] [bitbucket-branch-source-plugin] (JENKINS-35469) Exclude crumb requirement for webhook

81 views
Skip to first unread message

mkubenka@gmail.com (JIRA)

unread,
Jun 8, 2016, 8:25:02 AM6/8/16
to jenkinsc...@googlegroups.com
Michal Kubenka created an issue
 
Jenkins / Bug JENKINS-35469
Exclude crumb requirement for webhook
Issue Type: Bug Bug
Assignee: Antonio Muñiz
Components: bitbucket-branch-source-plugin
Created: 2016/Jun/08 12:24 PM
Priority: Major Major
Reporter: Michal Kubenka

Webhook endpoint /bitbucket-scmsource-hook/notify should be excluded from CSRF protection.

Response with CSRF protection enabled:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /bitbucket-scmsource-hook/notify. Reason:
<pre>    No valid crumb was included in the request</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

</body>
</html>
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

mkubenka@gmail.com (JIRA)

unread,
Jun 8, 2016, 8:28:01 AM6/8/16
to jenkinsc...@googlegroups.com
Michal Kubenka updated an issue
Change By: Michal Kubenka
Webhook endpoint /bitbucket-scmsource-hook/notify should be excluded from CSRF protection.

Response with CSRF protection enabled:

{code:html}

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /bitbucket-scmsource-hook/notify. Reason:
<pre>    No valid crumb was included in the request</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

</body>
</html>
{code}

 Fixed in Bitbucket plugin: JENKINS-26234

en@enlightened.de (JIRA)

unread,
Aug 17, 2016, 10:06:01 AM8/17/16
to jenkinsc...@googlegroups.com
Nicolai Ehemann commented on Bug JENKINS-35469
 
Re: Exclude crumb requirement for webhook

Why should there be an exclusion? Why can't the bitbucket hook send a csrf crumb?
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

mkubenka@gmail.com (JIRA)

unread,
Aug 17, 2016, 10:29:02 AM8/17/16
to jenkinsc...@googlegroups.com

Because it's impossible...

You can find more info about CSRF here https://en.wikipedia.org/wiki/Cross-site_request_forgery

en@enlightened.de (JIRA)

unread,
Aug 18, 2016, 4:43:02 AM8/18/16
to jenkinsc...@googlegroups.com

It's impossible because it's impossible .

However, meanwhile, I understood the aim is to have (some) api endpoints that can be accessed by jenkins-agnostic third party tools.

Now, I wonder if this "exclude crumb" method is a good way of doing this. The CSRF problem is, that authenticated users (meaning persons using a web browser) can be made do http calls because their credentials are always sent with each browser request. If you implement crumb exclusions, these API endpoints are again vulnerable to CSRF attacks.
If you have, for example, an endpoint that should accessed with a security token as authentication mechanism, it can now be called via CSRF with the user authentication.

I think the correct way to implement this would rather be to require CSRF token for all user/password based authenticated requests, while not requiring the CSRF token for all requests that contain a valid token (or user/token combination in case of user api tokens). That way, you don't need any exclusions while all endpoints should still be perfectly safe from CSRF attacks.

Please correct me, if I'm wrong.

kivagant@gmail.com (JIRA)

unread,
Aug 24, 2016, 9:18:02 AM8/24/16
to jenkinsc...@googlegroups.com
Eugene G commented on Bug JENKINS-35469

Hello.

So, what you decided about this problem? A have same problem with a bitbucket – hook does not work because of "No valid crumb". What should I do to fix this situation?

Thank you.

sion@byteshifter.io (JIRA)

unread,
Sep 7, 2016, 7:51:03 AM9/7/16
to jenkinsc...@googlegroups.com

Eugene G I found disabling CSFR to work. Not ideal, but resolves the issue until the fix.

Go to "Manage Jenkins" > "Configure Global Security" and disable "Prevent Cross Site Request Forgery exploits."

kivagant@gmail.com (JIRA)

unread,
Sep 7, 2016, 8:20:03 AM9/7/16
to jenkinsc...@googlegroups.com
Eugene G commented on Bug JENKINS-35469

Thank you, Sion Williams, I have used same option. Not best, but it works.

vivek.pandey@gmail.com (JIRA)

unread,
Nov 19, 2018, 10:44:02 AM11/19/18
to jenkinsc...@googlegroups.com
Vivek Pandey updated an issue
 
Change By: Vivek Pandey
Labels: technical-debt triaged-2018-11
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

antoine@antoinedescamps.fr (JIRA)

unread,
Jan 2, 2019, 9:06:02 AM1/2/19
to jenkinsc...@googlegroups.com
Antoine Descamps commented on Bug JENKINS-35469
 
Re: Exclude crumb requirement for webhook

I'm facing the same issue.

 

Jenkins is behind a reverse proxy, enabling "Enable proxy compatibility" isn't working but disabling CSRF does work. Whoever, as Eugene G said, it's not the best option.

 

What I do not understand is that doing a POST request with CURL works, without any token nor authentication.
Reply all
Reply to author
Forward
0 new messages