•  
      request #9499 Git Jenkins webhook: POST on /git/notifyCommit might be blocked
    Infos
    #9499
    Thomas de Grenier de Latour (thomasgl)
    2017-12-23 22:33
    2016-09-16 10:50
    9767
    Details
    Git Jenkins webhook: POST on /git/notifyCommit might be blocked
    When the (optional) CSRF protection is enabled in a Jenkins instance, POST requests as issued by the Tuleap Jenkins webhook on "/git/notifyCommit" are denied (error 403 with a "No valid crumb was included in the request"). As an easy workaround, doing a GET request instead works just as well for notifying Jenkins of a Git commit, and this verb will not blocked by the CSRF protection filter. So I suggest you change the way your Jenkins webhook makes its notification request (drop the CURLOPT_POST curl option in function "pushGitNotifications" of "plugins/hudson_git/include/HudsonGit/Hook/JenkinsClient.php" - well, I assume it would be enough, but I known nothing about PHP...)
    SCM/Git
    8.18
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-12-23
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-12-23 22:33
    Hello,

    This is (finally) fixed by request #10892, all POST requests made by the continuous integration plugins of Tuleap now send a CSRF crumb.

    • Status changed from New to Closed
    • Close date set to 2017-12-23
    User avatar
    We prefer to do POST in order to:
    1. not exceed GET url size limitation
    2. not leak information (we don't want to expose name of branches in the GET request for example)

    Security is preferable than simplicity ;)
    User avatar
    > Actually Tuleap should send a CSRF protection token in order to prevent this issue.

    That would work too, sure. But I don't really see the point of the extra complexity. GET requests work just fine on this URL, and that's indeed what is "documented" in the Git plugin wiki page (see their example usage of curl in a hooks/post-receive file). And I doubt it will stop working anytime soon, because it would break the many notification hook implementations which have been around for years.
    Actually, I'm pretty sure the only reason why there is no CrumbExclusion in Jenkins for this notifyCommit URL (ie, why "it's not whitelisted") is that everybody has always been using GET requests, thus the CSRF filter is usually not interfering.