Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37498

Builds can not be triggered by api with project token when csrf protection is enabled

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • core
    • Jenkins Version 2.18

      When CSRF protection is enabled, it's no longer possible to trigger builds/parametrized builds with the project api token (Returns Error 403 No valid crumb was included in the request).

          [JENKINS-37498] Builds can not be triggered by api with project token when csrf protection is enabled

          Daniel Beck added a comment -

          Where's the bug here? If you POST, you're expected to provide a token. /crumbIssuer/api/xml exists for that reason.

          Daniel Beck added a comment - Where's the bug here? If you POST, you're expected to provide a token. /crumbIssuer/api/xml exists for that reason.

          It's actually a duplicate of #22474. Sorry I didn't find that one when reporting the bug (yes, I did a search before). As that one lingers since more than two years, I don't expect it to be resolved too soon.

          Nicolai Ehemann added a comment - It's actually a duplicate of #22474. Sorry I didn't find that one when reporting the bug (yes, I did a search before). As that one lingers since more than two years, I don't expect it to be resolved too soon.

          Would you mind to extend your reasoning / clarify the jenkins position in the original issue?

          I think csrf token is not correctly implemented in jenkins. The goal is to prevent csrf attacks in session-based requests (that is, authenticate once with user/password, protected against subsequent csrf attacks by requiring token with each request.

          API usage by token based authentication is a completely different thing, however - the authentication is done with each request by providing the api token. There is no way to attack this scheme by csrf anyways, as there is no session involved. Requiring the csrf token in this case does not provide additional security - it just requires the api user to do an additional request for the csrf token prior to making the api call.

          Without knowledge of the api token, the api call is not vulnerable. With knowledge of the api token, the csrf token is no additional protection.

          Nicolai Ehemann added a comment - Would you mind to extend your reasoning / clarify the jenkins position in the original issue? I think csrf token is not correctly implemented in jenkins. The goal is to prevent csrf attacks in session-based requests (that is, authenticate once with user/password, protected against subsequent csrf attacks by requiring token with each request. API usage by token based authentication is a completely different thing, however - the authentication is done with each request by providing the api token. There is no way to attack this scheme by csrf anyways, as there is no session involved. Requiring the csrf token in this case does not provide additional security - it just requires the api user to do an additional request for the csrf token prior to making the api call. Without knowledge of the api token, the api call is not vulnerable. With knowledge of the api token, the csrf token is no additional protection.

          Daniel Beck added a comment -

          Please note that JENKINS-22474 is still around and open. We're not rejecting it.

          Daniel Beck added a comment - Please note that JENKINS-22474 is still around and open. We're not rejecting it.

          Ok, thank you. I was just unsure as to what 'official' position regarding the issue was, as there was no obvious activity for some time now. I assume that the issue will be fixed then sooner or later .

          Nicolai Ehemann added a comment - Ok, thank you. I was just unsure as to what 'official' position regarding the issue was, as there was no obvious activity for some time now. I assume that the issue will be fixed then sooner or later .

            Unassigned Unassigned
            mcnetic Nicolai Ehemann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: