Problems with CSRF protection in Jenkins 2.85

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Problems with CSRF protection in Jenkins 2.85

Jost, Martin (NSN - DE/Ulm)
Hello,

after the update to Jenkins 2.85, CI now "complains":
"You have not configured the CSRF issuer. This could be a security issue. For more information, please refer to this page.
You can change the current configuration using the Security section CSRF Protection."

So I tried to enable the CSRF protection. But now I fail to get my 'wget'-calls to the API to work with it.

How do I need to hand the crumb (in what format) to a wget call to e.g. upload a job file to my CI ?

Here is what I tried:
# get the brumb
> wget http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml -o out --output-document ooooo --user="random" --password="foobar"
> less ooooo
<defaultCrumbIssuer _class='hudson.security.csrf.DefaultCrumbIssuer'><crumb>1dd7db5ac04440f3c6f2e0b007d9afdb</crumb><crumbRequestField>Jenkins-Crumb</crumbRequestField></defaultCrumbIssuer>

# user/password + crumb as "Jenkins-Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 14:59:55--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 14:59:55 ERROR 403: No valid crumb was included in the request.

# No password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:18:54--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:18:54 ERROR 403: Forbidden.

# No user/password; just the crumb -> forbidden (ok, obvious)
> /usr/bin/wget --auth-no-challenge --no-proxy http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:06--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-10-30 15:19:06 ERROR 403: Forbidden.

# user/password + crumb as "Crumb" -> No valid crumb
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:19--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:19 ERROR 403: No valid crumb was included in the request.

# same, but 'crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:24--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:24 ERROR 403: No valid crumb was included in the request.

# same, but '.crumb'
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header=".crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:19:30--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:19:30 ERROR 403: No valid crumb was included in the request.

> wget --output-document ooooo --user="random" --password="foobar"  'http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
--2017-10-30 15:28:52--  http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)
Resolving ullteb105.emea.nsn-net.net... 10.159.34.240
Connecting to ullteb105.emea.nsn-net.net|10.159.34.240|:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46 [text/plain]
Saving to: ooooo
100%[==========================================================================================================================================>] 46          --.-K/s   in 0s
2017-10-30 15:28:52 (8.47 MB/s) - ooooo saved [46/46]

> less ooooo
Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb

# ok, so it is Jenkins-Crumb ?
# And the crumb itself stayed the same, so it is no timing issue (so far)
# I think I understood the crumb is a MD5 over user + password + some salt

# ok, then "Jenkins-Crumb" - no luck too
> /usr/bin/wget --auth-no-challenge --no-proxy --user="random" --password="foobar" http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml --post-file=encoded/PHY_TX----trunk--build.xml --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
--2017-10-30 15:29:37--  http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
HTTP request sent, awaiting response... 403 No valid crumb was included in the request
2017-10-30 15:29:37 ERROR 403: No valid crumb was included in the request.

Regards

Martin

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/051b10e4-22e3-4e7d-b584-bcd753ff4a16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.