如何在HTML表单中正确使用Jenkins的crumbs

huangapple go评论85阅读模式
英文:

How to properly use Jenkins crumbs in an HTML form

问题

我正在开发一个Jenkins插件,该插件使用一个HTML表单,该表单是使用Jelly和Stapler请求生成的页面的一部分。在升级到较新版本的Jenkins后,来自该表单的POST请求停止工作,导致我从Jenkins收到以下403错误:

HTTP ERROR 403 No valid crumb was included in the request
URI:	/job/Watchr_Sandbox/performanceReports/
STATUS:	403
MESSAGE:	No valid crumb was included in the request
SERVLET:	Stapler

我已经进行了大量关于Jenkins最近的CSRF安全改进的研究,似乎这是问题的根本原因,并且我已经阅读了很多其他Stack Overflow关于这个问题的解决方案(这个似乎是最接近的),但我没有找到与我的情况完全相同的示例。

基本上,我希望表单的POST包含Jenkins crumb信息。目前,我正在尝试通过将crumb信息包含为隐藏表单值来解决此问题,但我不知道我是否以正确的方式获取了Jenkins crumb,或者是否我正确地解决了这个问题。

.jelly文件

<j:jelly xmlns:j="jelly:core" xmlns:g="glide" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:test="/lib/hudson/test" xmlns:f="/lib/form" xmlns:i="jelly:fmt" xmlns:RP="jelly:RP">
  
  <l:layout title="Performance Reports">
    <st:include page="sidepanel.jelly" it="${it.getOwner()}" />
    <l:main-panel>
        <j:out value="${it.createHtml()}"/>
    </l:main-panel>

  </l:layout>
</j:jelly>

Java代码

import org.kohsuke.stapler.CrumbIssuer;
import org.kohsuke.stapler.Stapler;
import hudson.Functions;

public String createHtml() {
    StringBuilder sb = new StringBuilder();
    String crumb = Functions.getCrumb(Stapler.getCurrentRequest());
    String crumbRequestField = Functions.getCrumbRequestField();

    sb.append("<form method=\"post\" autocomplete=\"off\"");

    // ...

    sb.append("<input type=\"hidden\"");
    sb.append(" id=\"crumb\"");
    sb.append(" name=\"crumb\"");
    sb.append(" value=\"").append(crumb).append("\"");
    sb.append("/>");
   
    sb.append("<input type=\"hidden\"");
    sb.append(" id=\"crumbRequestField\"");
    sb.append(" name=\"crumbRequestField\"");
    sb.append(" value=\"").append(crumbRequestField).append("\"");
    sb.append("/>");

    // ...

    sb.append("</form>");

    return sb.toString();
}
英文:

I am working on a Jenkins plugin that uses an HTML form on a page that's generated using Jelly and Stapler requests. After upgrading to a newer version of Jenkins, POSTs from this form stopped working, giving me the following 403 error from Jenkins:

HTTP ERROR 403 No valid crumb was included in the request
URI:	/job/Watchr_Sandbox/performanceReports/
STATUS:	403
MESSAGE:	No valid crumb was included in the request
SERVLET:	Stapler

I've done a lot of research on the recent CSRF security improvement to Jenkins that seems to be at the root of this problem, and I've read a lot of other Stack Overflow solutions to this problem (this one seems to be closest), but I haven't found any examples that are exactly like my situation.

Essentially, I would like the form's POST to include Jenkins crumb information. Right now, I'm trying to solve this by including the crumb information as hidden form values, but I don't know if I'm acquiring the Jenkins crumb the correct way, or if I'm even approaching this problem correctly.

.jelly file

&lt;j:jelly xmlns:j=&quot;jelly:core&quot; xmlns:g=&quot;glide&quot; xmlns:st=&quot;jelly:stapler&quot; xmlns:d=&quot;jelly:define&quot; xmlns:l=&quot;/lib/layout&quot; xmlns:t=&quot;/lib/hudson&quot; xmlns:test=&quot;/lib/hudson/test&quot; xmlns:f=&quot;/lib/form&quot; xmlns:i=&quot;jelly:fmt&quot; xmlns:RP=&quot;jelly:RP&quot;&gt;
  
  &lt;l:layout title=&quot;Performance Reports&quot;&gt;
    &lt;st:include page=&quot;sidepanel.jelly&quot; it=&quot;${it.getOwner()}&quot; /&gt;
    &lt;l:main-panel&gt;
        &lt;j:out value=&quot;${it.createHtml()}&quot;/&gt;
    &lt;/l:main-panel&gt;

  &lt;/l:layout&gt;
&lt;/j:jelly&gt;

Java code

import org.kohsuke.stapler.CrumbIssuer;
import org.kohsuke.stapler.Stapler;
import hudson.Functions;

public String createHtml() {
    StringBuilder sb = new StringBuilder();
    String crumb = Functions.getCrumb(Stapler.getCurrentRequest());
    String crumbRequestField = Functions.getCrumbRequestField();

    sb.append(&quot;&lt;form method=\&quot;post\&quot; autocomplete=\&quot;off\&quot;&quot;);

    // ...

    sb.append(&quot;&lt;input type=\&quot;hidden\&quot;&quot;);
    sb.append(&quot; id=\&quot;crumb\&quot;&quot;);
    sb.append(&quot; name=\&quot;crumb\&quot;&quot;);
    sb.append(&quot; value=\&quot;&quot;).append(crumb).append(&quot;\&quot;&quot;);
    sb.append(&quot;/&gt;&quot;);
   
    sb.append(&quot;&lt;input type=\&quot;hidden\&quot;&quot;);
    sb.append(&quot; id=\&quot;crumbRequestField\&quot;&quot;);
    sb.append(&quot; name=\&quot;crumbRequestField\&quot;&quot;);
    sb.append(&quot; value=\&quot;&quot;).append(crumbRequestField).append(&quot;\&quot;&quot;);
    sb.append(&quot;/&gt;&quot;);

    // ...

    sb.append(&quot;&lt;/form&gt;&quot;);

    return sb.toString();
}

答案1

得分: 0

终于找到了答案,多亏了这个其他问题:
https://stackoverflow.com/questions/56983333/jenkins-stapler-requests-fail-with-no-valid-crumb?rq=1

问题在于,由默认附加到请求中的 crumb 标头的名称实际上是错误的,原因不明。如我的问题中所示,它显示为 Crumb,但实际上应该是 Jenkins-Crumb,或者对于旧版本的 Jenkins 应该是 .crumb。

所以在我的情况下,我只需要更改代码以使用 "Jenkins-Crumb" 而不是 "crumb",它就能完美运行:

    sb.append("<input type=\"hidden\"");
    sb.append(" id=\"Jenkins-Crumb\"");
    sb.append(" name=\"Jenkins-Crumb\"");
    sb.append(" value=\"").append(crumb).append("\"");
    sb.append("/>");
英文:

Finally found the answer, thanks to this other question:
https://stackoverflow.com/questions/56983333/jenkins-stapler-requests-fail-with-no-valid-crumb?rq=1

> The problem was that for some reason, the name of the crumb header appended to the requests by default is actually wrong. It's Crumb as shown in the screenshot in my question, but it actually should be Jenkins-Crumb or .crumb for older versions of Jenkins.

So in my case, I simply needed to change the code to use "Jenkins-Crumb" instead of "crumb", and it worked perfectly:

    sb.append(&quot;&lt;input type=\&quot;hidden\&quot;&quot;);
    sb.append(&quot; id=\&quot;Jenkins-Crumb\&quot;&quot;);
    sb.append(&quot; name=\&quot;Jenkins-Crumb\&quot;&quot;);
    sb.append(&quot; value=\&quot;&quot;).append(crumb).append(&quot;\&quot;&quot;);
    sb.append(&quot;/&gt;&quot;);

huangapple
  • 本文由 发表于 2020年10月6日 23:13:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/64228719.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定