Skip to main content

Block all API calls

Comments

2 comments

  • Ryan Campbell

    Note that this will only block API calls which don't pass a parameter, such as the tree parameter.

    0
  • Steven Christenson

    I don't have a quibble (much) with the content, but the title is misleading. Should not be "Block all api calls" but "Restrict API Calls" or "Block SOME API Calls".

    I also believe none of the supplied examples are sufficient or complete.

    We have something like this:

    ^/((?!crumbIssuer).*/api/(python|json|xml)$|.*/api/(python|json|xml)\?depth=([456789]|[0-9][^&]))

    But the above doesn't deal with the problem of a missing tree parameter.

    The problem is that some items will be innocuous without the tree parameter... e.g. retrieving the results of one particular build:

    /job/platform/job/admin/job/jobAndBuildCounter/1/api/json?pretty=true

    But a request with a tree that also has e.g. depth=5 is able to crush jenkins.

    0

Please sign in to leave a comment.

About CloudBees Support

Our Support Engineers are available to help with any questions or problems you may have with any of our products.