[JENKINS-37149] Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: gogs-webhook-plugin
Labels:
- CSRF
- Crumb
- CrumbExclusion
- Git
- Gogs-webhook
- Plugin
- Webhook
Environment:
Jenkins 2.16, Git Plugin 2.5.3, gogs-webhook 1.0.2

Similar Issues:
Powered by SuggestiMate

Show

Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin ( https://github.com/jenkinsci/github-plugin/commit/5c2a041 )? That would allow us to leave CSRF protection enabled and still get working webhooks.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

gogs-webhook.hpi
1.15 MB
2016-08-03 19:41

Nick Clark created issue - 2016-08-03 16:26

Nick Clark made changes - 2016-08-03 16:27

Description

Original: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is default operation), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

New: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

Nick Clark made changes - 2016-08-03 16:27

Description

Original: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

New: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

Nick Clark made changes - 2016-08-03 16:50

Summary

Original: Webhooks fail when "Prevent Cross Site Request Forgery exploits" is enabled

New: Gogs Webhooks fail when "Prevent Cross Site Request Forgery exploits" is enabled

Nick Clark made changes - 2016-08-03 17:05

Summary

Original: Gogs Webhooks fail when "Prevent Cross Site Request Forgery exploits" is enabled

New: Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

Nick Clark made changes - 2016-08-03 17:06

Description

Original: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

New: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

SCM/JIRA link daemon made changes - 2016-08-03 19:10

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

sander v made changes - 2016-08-03 19:41

Attachment

New: gogs-webhook.hpi [ 33514 ]

Nick Clark made changes - 2016-08-03 19:53

Description

Original: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin (https://github.com/jenkinsci/github-plugin/commit/5c2a041)? That would allow us to leave CSRF protection enabled and still get working webhooks.

New: Thanks for making a plugin to support the Gogs git self-hosting service!

When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin ( https://github.com/jenkinsci/github-plugin/commit/5c2a041 )? That would allow us to leave CSRF protection enabled and still get working webhooks.

sander v made changes - 2016-08-03 20:10

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]

Assignee:: sander v

Reporter:: Nick Clark

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2016-08-03 16:26

Updated:: 2016-08-03 20:10

Resolved:: 2016-08-03 19:10

Jenkins

Details

Description

Attachments

Attachments

Activity

People

Dates