CSRF protection prevents a plugin to work

Issue

  • A webhook or a plugin is not working properly. You get a 403 HTTP error page containing HTTP Status 403 - No valid crumb was included in the request

  • CLI/OPE fails to connect with this error message:

Exception in thread "main" java.net.SocketTimeoutException: connect timed out
	at java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:589)
	at hudson.cli.CLI.connectViaCliPort(CLI.java:208)
	at hudson.cli.CLI.<init>(CLI.java:126)
	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72)
	at hudson.cli.CLI._main(CLI.java:471)
	at hudson.cli.CLI.main(CLI.java:387)
	Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: https://YOUR_INSTANCE.ci.cloudbees.com/cli
		at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840)
		at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
		at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
		at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:78)
		at hudson.cli.CLI.connectViaHttp(CLI.java:156)
		at hudson.cli.CLI.<init>(CLI.java:130)
		... 3 more
  • an API call using POST fails with a 403 HTTP error page containing HTTP Status 403 - No valid crumb was included in the request

Environment

Resolution

Cross-Site Request Forgery protection is enabled on DEV@cloud and can trigger these issues.

For API calls using POST, please look at CSRF section of remote access API wiki page. There’s some guidance to generate the crumb required to POST an API request.

We can temporarily disable CSRF protection on your instance the time a fix is published if a plugin is not compatible with CSRF protection. This can only be a temporary measure, as CSRF protection is very important for your security.

Please open a support case if you encounter such issue.

Sample to use curl to access REST APIs protected by CSRF

When you make a POST request, you have to send a CSRF protection token as an HTTP request header.

For curl/wget you can obtain the header needed in the request from the URL https://INSTANCE.ci.cloudbees.com/crumbIssuer/api/xml (or …/api/json). Something like this:

curl -u "USERNAME:APITOKEN" 'https://INSTANCE.ci.cloudbees.com/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'

USERNAME (your account email) and APITOKENcan be found in the page https://INSTANCE.ci.cloudbees.com/me/configure

This will print something like .crumb:1234abcd, which you should add to the subsequent POST requests with curl’s -H option. For example to launch a build of job MY_JOB

curl -X POST -u "USERNAME:APITOKEN" -H ".crumb:1234abcd" https://INSTANCE.ci.cloudbees.com/job/MY_JOB/build

In shell script you will probably store the token in a variable like here :

!/bin/bash -eu
USERNAME=someone@somewhere.com
APITOKEN=1234567890
INSTANCE=foo
JOB=MY_JOB
token=$(curl -u "${USERNAME}:${APITOKEN}" "https://${INSTANCE}.ci.cloudbees.com/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,':',//crumb)")
curl -X POST -u "${USERNAME}:${APITOKEN}" -H "${token}" https://${INSTANCE}.ci.cloudbees.com/job/${JOB}/build
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.