Block all api calls

Issue

  • Block all api calls

Environment

  • CloudBees Jenkins Enterprise
  • CloudBees Jenkins Operations Center

Resolution

Install the CloudBees Request Filter Plugin and add one of the following rules in Manage Jenkins > Configure System to get the desired behavior:

Block all the api requests excepting those which use the tree parameter (Recommended)

.*/api/\w+(?!.+tree=.+).*

Block all the api requests which do not use parameters

.*\/api\/(python|json|xml)

Block all the api requests including those which use tree and depth parameters

.*\/api\/(python|json|xml).*

Have more questions?

2 Comments

  • 0
    Avatar
    Ryan Campbell

    Note that this will only block API calls which don't pass a parameter, such as the tree parameter.

  • 0
    Avatar
    Steven Christenson

    I don't have a quibble (much) with the content, but the title is misleading. Should not be "Block all api calls" but "Restrict API Calls" or "Block SOME API Calls".

    I also believe none of the supplied examples are sufficient or complete.

    We have something like this:

    ^/((?!crumbIssuer).*/api/(python|json|xml)$|.*/api/(python|json|xml)\?depth=([456789]|[0-9][^&]))

    But the above doesn't deal with the problem of a missing tree parameter.

    The problem is that some items will be innocuous without the tree parameter... e.g. retrieving the results of one particular build:

    /job/platform/job/admin/job/jobAndBuildCounter/1/api/json?pretty=true

    But a request with a tree that also has e.g. depth=5 is able to crush jenkins.

    Edited by Steven Christenson
Please sign in to leave a comment.