Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37498

Builds can not be triggered by api with project token when csrf protection is enabled

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Duplicate
    • core
    • Jenkins Version 2.18

    Description

      When CSRF protection is enabled, it's no longer possible to trigger builds/parametrized builds with the project api token (Returns Error 403 No valid crumb was included in the request).

      Attachments

        Issue Links

          Activity

            danielbeck Daniel Beck added a comment -

            Where's the bug here? If you POST, you're expected to provide a token. /crumbIssuer/api/xml exists for that reason.

            danielbeck Daniel Beck added a comment - Where's the bug here? If you POST, you're expected to provide a token. /crumbIssuer/api/xml exists for that reason.

            It's actually a duplicate of #22474. Sorry I didn't find that one when reporting the bug (yes, I did a search before). As that one lingers since more than two years, I don't expect it to be resolved too soon.

            mcnetic Nicolai Ehemann added a comment - It's actually a duplicate of #22474. Sorry I didn't find that one when reporting the bug (yes, I did a search before). As that one lingers since more than two years, I don't expect it to be resolved too soon.

            Would you mind to extend your reasoning / clarify the jenkins position in the original issue?

            I think csrf token is not correctly implemented in jenkins. The goal is to prevent csrf attacks in session-based requests (that is, authenticate once with user/password, protected against subsequent csrf attacks by requiring token with each request.

            API usage by token based authentication is a completely different thing, however - the authentication is done with each request by providing the api token. There is no way to attack this scheme by csrf anyways, as there is no session involved. Requiring the csrf token in this case does not provide additional security - it just requires the api user to do an additional request for the csrf token prior to making the api call.

            Without knowledge of the api token, the api call is not vulnerable. With knowledge of the api token, the csrf token is no additional protection.

            mcnetic Nicolai Ehemann added a comment - Would you mind to extend your reasoning / clarify the jenkins position in the original issue? I think csrf token is not correctly implemented in jenkins. The goal is to prevent csrf attacks in session-based requests (that is, authenticate once with user/password, protected against subsequent csrf attacks by requiring token with each request. API usage by token based authentication is a completely different thing, however - the authentication is done with each request by providing the api token. There is no way to attack this scheme by csrf anyways, as there is no session involved. Requiring the csrf token in this case does not provide additional security - it just requires the api user to do an additional request for the csrf token prior to making the api call. Without knowledge of the api token, the api call is not vulnerable. With knowledge of the api token, the csrf token is no additional protection.
            danielbeck Daniel Beck added a comment -

            Please note that JENKINS-22474 is still around and open. We're not rejecting it.

            danielbeck Daniel Beck added a comment - Please note that JENKINS-22474 is still around and open. We're not rejecting it.

            Ok, thank you. I was just unsure as to what 'official' position regarding the issue was, as there was no obvious activity for some time now. I assume that the issue will be fixed then sooner or later .

            mcnetic Nicolai Ehemann added a comment - Ok, thank you. I was just unsure as to what 'official' position regarding the issue was, as there was no obvious activity for some time now. I assume that the issue will be fixed then sooner or later .

            People

              Unassigned Unassigned
              mcnetic Nicolai Ehemann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: