[JENKINS-37149] Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: gogs-webhook-plugin
Labels:
- CSRF
- Crumb
- CrumbExclusion
- Git
- Gogs-webhook
- Plugin
- Webhook
Environment:
Jenkins 2.16, Git Plugin 2.5.3, gogs-webhook 1.0.2

Similar Issues:
Powered by SuggestiMate

Show

Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin ( https://github.com/jenkinsci/github-plugin/commit/5c2a041 )? That would allow us to leave CSRF protection enabled and still get working webhooks.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

gogs-webhook.hpi
1.15 MB
2016-08-03 19:41

Nick Clark created issue - 2016-08-03 16:26

Nick Clark made changes - 2016-08-03 16:27

Description

Original: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is default operation), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

New: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

Nick Clark made changes - 2016-08-03 16:27

Description

Original: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

New: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

Nick Clark made changes - 2016-08-03 16:50

Summary

Original: Webhooks fail when "Prevent Cross Site Request Forgery exploits" is enabled

New: Gogs Webhooks fail when "Prevent Cross Site Request Forgery exploits" is enabled

Nick Clark made changes - 2016-08-03 17:05

Summary

Original: Gogs Webhooks fail when "Prevent Cross Site Request Forgery exploits" is enabled

New: Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

Nick Clark made changes - 2016-08-03 17:06

Description

Original: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

New: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

SCM/JIRA link daemon added a comment - 2016-08-03 19:10

Code changed in jenkins
User: Alexander Verhaar
Path:
src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java
http://jenkins-ci.org/commit/gogs-webhook-plugin/7d573a3124d6aea14eb00aea5e6e75d865f6027b
Log:
[FIXED JENKINS-37149] Added CSRF protection

SCM/JIRA link daemon added a comment - 2016-08-03 19:10 Code changed in jenkins User: Alexander Verhaar Path: src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java http://jenkins-ci.org/commit/gogs-webhook-plugin/7d573a3124d6aea14eb00aea5e6e75d865f6027b Log: [FIXED JENKINS-37149] Added CSRF protection

SCM/JIRA link daemon made changes - 2016-08-03 19:10

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

sander v added a comment - 2016-08-03 19:17

Just added the fix. If you can check if it works it would be great!

sander v added a comment - 2016-08-03 19:17 Just added the fix. If you can check if it works it would be great!

Nick Clark added a comment - 2016-08-03 19:33 - edited

Sure, I'll give it a try! How can I get the 1.03 snapshot? I don't see it yet in the plugin update manager. Is the new .hpi available directly somewhere?

(also - does it really only need that one empty file? src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java)

Nick Clark added a comment - 2016-08-03 19:33 - edited Sure, I'll give it a try! How can I get the 1.03 snapshot? I don't see it yet in the plugin update manager. Is the new .hpi available directly somewhere? (also - does it really only need that one empty file? src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java)

Assignee:: sander v

Reporter:: Nick Clark

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2016-08-03 16:26

Updated:: 2016-08-03 20:10

Resolved:: 2016-08-03 19:10

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: SCM/JIRA link daemon added a comment - 2016-08-03 19:10

Expand comment: SCM/JIRA link daemon added a comment - 2016-08-03 19:10

Collapse comment: sander v added a comment - 2016-08-03 19:17

Expand comment: sander v added a comment - 2016-08-03 19:17

Collapse comment: Nick Clark added a comment - 2016-08-03 19:33, Edited by Nick Clark - 2016-08-03 19:35

Expand comment: Nick Clark added a comment - 2016-08-03 19:33, Edited by Nick Clark - 2016-08-03 19:35

People

Dates