Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37149

Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

      Thanks for making a plugin to support the Gogs git self-hosting service!

      When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

      Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin ( https://github.com/jenkinsci/github-plugin/commit/5c2a041 )? That would allow us to leave CSRF protection enabled and still get working webhooks.

          [JENKINS-37149] Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

          Code changed in jenkins
          User: Alexander Verhaar
          Path:
          src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java
          http://jenkins-ci.org/commit/gogs-webhook-plugin/7d573a3124d6aea14eb00aea5e6e75d865f6027b
          Log:
          [FIXED JENKINS-37149] Added CSRF protection

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alexander Verhaar Path: src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java http://jenkins-ci.org/commit/gogs-webhook-plugin/7d573a3124d6aea14eb00aea5e6e75d865f6027b Log: [FIXED JENKINS-37149] Added CSRF protection

          sander v added a comment -

          Just added the fix. If you can check if it works it would be great!

          sander v added a comment - Just added the fix. If you can check if it works it would be great!

          Nick Clark added a comment - - edited

          Sure, I'll give it a try! How can I get the 1.03 snapshot? I don't see it yet in the plugin update manager. Is the new .hpi available directly somewhere?

          (also - does it really only need that one empty file? src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java)

          Nick Clark added a comment - - edited Sure, I'll give it a try! How can I get the 1.03 snapshot? I don't see it yet in the plugin update manager. Is the new .hpi available directly somewhere? (also - does it really only need that one empty file? src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java)

          sander v added a comment -

          Have attached the 1.0.3 hpi version.

          sander v added a comment - Have attached the 1.0.3 hpi version.

          Nick Clark added a comment - - edited

          1.0.3 doesn't look like it works for me.

          Is it possible something got messed up in the 1.0.3 commit? GogsWebHookCrumbExclusion.java looks like it's an empty file.

          Nick Clark added a comment - - edited 1.0.3 doesn't look like it works for me. Is it possible something got messed up in the 1.0.3 commit? GogsWebHookCrumbExclusion.java looks like it's an empty file.

          Code changed in jenkins
          User: Alexander Verhaar
          Path:
          src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java
          http://jenkins-ci.org/commit/gogs-webhook-plugin/c5bec4c70f1db75e535682a6c438b301555732ad
          Log:
          [FIXED JENKINS-37149] Added CSRF protection

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alexander Verhaar Path: src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java http://jenkins-ci.org/commit/gogs-webhook-plugin/c5bec4c70f1db75e535682a6c438b301555732ad Log: [FIXED JENKINS-37149] Added CSRF protection

          sander v added a comment -

          Sorry for the inconvenience, but now it should be fixed in the repo and you can try to download version 1.0.4 from here.

          sander v added a comment - Sorry for the inconvenience, but now it should be fixed in the repo and you can try to download version 1.0.4 from here .

          Nick Clark added a comment -

          1.0.4 works great! Thanks for the speedy turn-around!!

          Nick Clark added a comment - 1.0.4 works great! Thanks for the speedy turn-around!!

          sander v added a comment -

          No problem

          sander v added a comment - No problem

            sanderv43 sander v
            nrclark Nick Clark
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: