GitHub Webhook to Jenkins "Cross Site Scripting"
713 views
Skip to first unread message
spacegoose
May 15, 2013, 9:23:23 AM5/15/13
to jenkins...@googlegroups.com
I am trying to trigger Jenkins builds from commits to a private GitHub repository. It only works when the the cross site scripting protection in Jenkins is turned off.
Is there some way I can keep the cross site scripting protection setting on and get the GitHub webhook to work? The error with it on is a 403 / no valid crumb.
Can I use a crumb in the webhook URL?
Thanks,
Bill
Is there some way I can keep the cross site scripting protection setting on and get the GitHub webhook to work? The error with it on is a 403 / no valid crumb.
Can I use a crumb in the webhook URL?
Thanks,
Bill
spacegoose
May 16, 2013, 10:52:57 AM5/16/13
to jenkins...@googlegroups.com
Hoping someone else is using the basic GitHub webhook with Jenkins ... is there some way to get it to work with CSRF enabled?
According to the standard webhook doc, it POSTs to the trigger URL, and this may be why the CSRF is not allowing it?
I guess I can't disable CRSF for a particular build?
GitHub is recommending I use one of the Jenkins / GitHub plugins vs the standard webhook, looking like that is the only option.
Thanks,
Bill
spacegoose
May 16, 2013, 6:03:54 PM5/16/13
to jenkins...@googlegroups.com
On Wednesday, May 15, 2013 9:23:23 AM UTC-4, spacegoose wrote:
We ended up installing the GitHub plugin on Jenkins and it works, seemingly magically, w/o any authentication credentials specified, other than the Jenkins project specifying the GitHub repo & branch, and the GitHub webhook specifying the generic Jenkins /github-webhook/ URL on our Jenkins instance.
I looked in the Jenkins (1.514) config settings and didn't see any GItHub specific credentials.
We do have a special GitHub user with pull access to this repo, and it is setup with SSH keys to talk to our Jenkins (maybe this has something to do with it working?).
Dean Yu
May 17, 2013, 5:43:58 PM5/17/13
to jenkins...@googlegroups.com
Just noticing this thread.
With respect to your original question about Git and Jenkin's CSRF setting, as you've surmised, Jenkins protects all POST requests when this feature is enabled. There's a snippet in the Subversion plugin wiki[1] about how to make Subversion's commit hook work with the CSRF protection, and I would expect the same pattern will work for Git.
With respect to authentication, CSRF is only tangentially related to authentication. If your Jenkins instance requires an authenticated login, the CSRF will factor that into the crumb. If your Jenkins allows anonymous access, the CSRF protection will use other information for the crumb.
-- Dean
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages