Block all API calls Bee Bot July 13, 2022 10:34 Updated The content of this article has moved to the new documentation site. Related articles Best Practice For Using Jenkins REST API How Do I Use The CloudBees Request Filter Plugin ? Groovy to list all jobs How to build a job using the REST API and cURL? [CloudBees CI 2.277.1.2] JENKINS-56109: Change Jenkins configuration UI from tables to divs Comments 2 comments Sort by Date Votes Ryan Campbell October 06, 2016 22:18 Note that this will only block API calls which don't pass a parameter, such as the tree parameter. 0 Steven Christenson September 26, 2019 15:57 Edited I don't have a quibble (much) with the content, but the title is misleading. Should not be "Block all api calls" but "Restrict API Calls" or "Block SOME API Calls".I also believe none of the supplied examples are sufficient or complete.We have something like this:^/((?!crumbIssuer).*/api/(python|json|xml)$|.*/api/(python|json|xml)\?depth=([456789]|[0-9][^&]))But the above doesn't deal with the problem of a missing tree parameter.The problem is that some items will be innocuous without the tree parameter... e.g. retrieving the results of one particular build:/job/platform/job/admin/job/jobAndBuildCounter/1/api/json?pretty=trueBut a request with a tree that also has e.g. depth=5 is able to crush jenkins. 0 Please sign in to leave a comment.
Comments
2 comments
Note that this will only block API calls which don't pass a parameter, such as the tree parameter.
I don't have a quibble (much) with the content, but the title is misleading. Should not be "Block all api calls" but "Restrict API Calls" or "Block SOME API Calls".
I also believe none of the supplied examples are sufficient or complete.
We have something like this:
^/((?!crumbIssuer).*/api/(python|json|xml)$|.*/api/(python|json|xml)\?depth=([456789]|[0-9][^&]))
But the above doesn't deal with the problem of a missing tree parameter.
The problem is that some items will be innocuous without the tree parameter... e.g. retrieving the results of one particular build:
/job/platform/job/admin/job/jobAndBuildCounter/1/api/json?pretty=true
But a request with a tree that also has e.g. depth=5 is able to crush jenkins.
Please sign in to leave a comment.