Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37149

Gogs Webhooks fail if "Prevent Cross Site Request Forgery exploits" is enabled

    XMLWordPrintable

Details

    Description

      Thanks for making a plugin to support the Gogs git self-hosting service!

      When Gogs sends a webhook, it issues a POST request with a bunch of information in JSON format. With "Prevent Cross Site Request Forgery exploits" enabled in Jenkins (which is the default for new installs of Jenkins 2.x), Gogs' webhooks are blocked because they don't have a crumb associated with them.

      Would it be possible to add a CrumbExclusion similar to the one found in the Github plugin ( https://github.com/jenkinsci/github-plugin/commit/5c2a041 )? That would allow us to leave CSRF protection enabled and still get working webhooks.

      Attachments

        Activity

          nrclark Nick Clark added a comment - - edited

          1.0.3 doesn't look like it works for me.

          Is it possible something got messed up in the 1.0.3 commit? GogsWebHookCrumbExclusion.java looks like it's an empty file.

          nrclark Nick Clark added a comment - - edited 1.0.3 doesn't look like it works for me. Is it possible something got messed up in the 1.0.3 commit? GogsWebHookCrumbExclusion.java looks like it's an empty file.

          Code changed in jenkins
          User: Alexander Verhaar
          Path:
          src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java
          http://jenkins-ci.org/commit/gogs-webhook-plugin/c5bec4c70f1db75e535682a6c438b301555732ad
          Log:
          [FIXED JENKINS-37149] Added CSRF protection

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alexander Verhaar Path: src/main/java/org/jenkinsci/plugins/gogs/GogsWebHookCrumbExclusion.java http://jenkins-ci.org/commit/gogs-webhook-plugin/c5bec4c70f1db75e535682a6c438b301555732ad Log: [FIXED JENKINS-37149] Added CSRF protection
          sanderv43 sander v added a comment -

          Sorry for the inconvenience, but now it should be fixed in the repo and you can try to download version 1.0.4 from here.

          sanderv43 sander v added a comment - Sorry for the inconvenience, but now it should be fixed in the repo and you can try to download version 1.0.4 from here .
          nrclark Nick Clark added a comment -

          1.0.4 works great! Thanks for the speedy turn-around!!

          nrclark Nick Clark added a comment - 1.0.4 works great! Thanks for the speedy turn-around!!
          sanderv43 sander v added a comment -

          No problem

          sanderv43 sander v added a comment - No problem

          People

            sanderv43 sander v
            nrclark Nick Clark
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: