Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-75365

Build Now action in Bitbucket couldn't be initiated

XMLWordPrintable

      The build now action in Bitbucket (see below) can't be initiated in Bitbucket Server Integration Plugin 4.1.4.

      I believe this is because version 4.1.4 fixes Jenkins Security Advisory 2025-01-22. However, CSRF protection is not disabled for this URL.

      Jenkins responds with the following:


      Bitbucket doesn't have access to the crumb generated by Jenkins in the Jenkins user's session and therefore can't provide it in the Jenkins-Crumb header.

      Rolling back the plugin to version 4.1.3 fixes this issue, but doesn't include the security fixes from 4.1.4

        1. Screenshot 2025-03-04 150425.png
          Screenshot 2025-03-04 150425.png
          6 kB
        2. Screenshot 2025-03-04 150326.png
          Screenshot 2025-03-04 150326.png
          8 kB
        3. Screenshot 2025-03-04 150953.png
          Screenshot 2025-03-04 150953.png
          60 kB

          [JENKINS-75365] Build Now action in Bitbucket couldn't be initiated

          Austin added a comment -

          The build now button seems to only work for freestyle jobs. In my case, I am trying to build a multibranch pipeline job.

          I believe it is because of the following code in src/main/java/com/atlassian/bitbucket/jenkins/internal/applink/oauth/serviceprovider/rest/OauthCrumbExclusion.java:

          List<String> getBuilds() {
    return Jenkins.get().getAllItems(Project.class).stream().map(project -> "/" + project.getUrl() + "build").collect(Collectors.toList());    }

          This only returns a list of build URL's for freestyle projects because of Project.class

          org.jenkinsci.plugins.workflow.job.WorkflowJob.class however will work for other types of projects.

          Therefore, since my multibranch pipeline build URL is not in this list, the URL doesn't get a CSRF protection exemption like it should.

          Austin added a comment - The build now button seems to only work for freestyle jobs. In my case, I am trying to build a multibranch pipeline job. I believe it is because of the following code in src/main/java/com/atlassian/bitbucket/jenkins/internal/applink/oauth/serviceprovider/rest/OauthCrumbExclusion.java: List< String > getBuilds() { return Jenkins.get().getAllItems(Project.class).stream().map(project -> "/" + project.getUrl() + "build" ).collect(Collectors.toList()); } This only returns a list of build URL's for freestyle projects because of Project.class org.jenkinsci.plugins.workflow.job.WorkflowJob.class however will work for other types of projects. Therefore, since my multibranch pipeline build URL is not in this list, the URL doesn't get a CSRF protection exemption like it should.

          Austin added a comment - - edited

          I tested this change locally, and it seemed to fix my issue. I just changed Project.class to Job.class, and updated the relevant import statement.

          List<String> getBuilds(){
    return Jenkins.get().getAllItems(Job.class)
           .stream().map(project -> "/" + project.getUrl() + "build")
           .collect(Collectors.toList());
}

          Austin added a comment - - edited I tested this change locally, and it seemed to fix my issue. I just changed Project.class to Job.class, and updated the relevant import statement. List< String > getBuilds(){ return Jenkins.get().getAllItems(Job.class) .stream().map(project -> "/" + project.getUrl() + "build" ) .collect(Collectors.toList()); }

            Unassigned Unassigned
            aputland Austin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: