Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
Jenkins 2.89.4
Description
The hudson.security.csrf.CrumbFilter generates so many log entries it causes parts of Jenkins to stall until the rate of log messages slows down.
2018-02-24 05:17:10.406+0000 [id=20011] WARNING hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 418axxxx20cb74b577eaae393aa8ac0e. Will check remaining parameters for a valid one... 2018-02-24 05:17:10.406+0000 [id=20011] WARNING hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /$stapler/bound/419618ba-22aa-4afb-8528-b112a604cce9/getOnlineSlaves by joecool. Returning 403.
The amount of these logs was causing my Jenkins to stop working: The executors were not being released by jobs (even after they were done running) until the log entry could be written.
I checked through the logs and all the entries I have are for these URLs (there could be more, due to the logs rolling so quick):
- /$stapler/bound/419618ba-22aa-4afb-8528-b112a604cce9/getDisconnectedSlaves
- /$stapler/bound/419618ba-22aa-4afb-8528-b112a604cce9/getOfflineSlaves
- /$stapler/bound/419618ba-22aa-4afb-8528-b112a604cce9/getOnlineSlaves
- /$stapler/bound/419618ba-22aa-4afb-8528-b112a604cce9/getRunningJobs
- /$stapler/bound/419618ba-22aa-4afb-8528-b112a604cce9/getSlaves
- /$stapler/bound/419618ba-22aa-4afb-8528-b112a604cce9/getTasksInQueue
I would suggest that either these logs shouldn't be generated at all, or only as FINE or FINER entries.
Attachments
Issue Links
- relates to
-
-
- Resolved
-
Activity
It also seems wrong that if the permission for Jenkins are such that anyone (anonymous) can view a URL, then GET requests for that URL shouldn't need a CSRF token and should never raise a 403.
GET doesn't have CSRF protection, this sends POST. Possibly because it's the default.
Tobias Gruetzmacher
added a comment - This is now a bit saner:
- Only one request for all fields
- After 10 unsuccessful requests, further updates are suspended
Test build will probably be available later: https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fdashboard-view-plugin/branches
Tobias Gruetzmacher
added a comment - This is now a bit saner:
Only one request for all fields
After 10 unsuccessful requests, further updates are suspended
Test build will probably be available later: https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fdashboard-view-plugin/branches
- After 10 unsuccessful requests, further updates are suspended
Might be interesting for you to look at what the "Jenkins is (re)starting" screen in Jenkins core does – it distinguishes between getting no response or getting a 500 response from anything different. This way, the UI survives a Jenkins restart, but would show legitimate errors if they appear.
Tobias Gruetzmacher
added a comment - Fixed in dashboard-view plugin 2.10. 
I'm glad my extra research helped identify the culprit (dashboard-view).
I'm not familiar enough with Jelly to know exactly what's going on but it looks like some of the problems are:
It also seems wrong that if the permission for Jenkins are such that anyone (anonymous) can view a URL, then GET requests for that URL shouldn't need a CSRF token and should never raise a 403.