Package org.jenkinsci.plugins.gitserver
Class CSRFExclusionImpl
java.lang.Object
hudson.security.csrf.CrumbExclusion
org.jenkinsci.plugins.gitserver.CSRFExclusionImpl
- All Implemented Interfaces:
ExtensionPoint
CSRF exclusion for git-upload-pack.
We do some basic checks to significantly limit the scope of exclusion, but
because of the dynamic nature of the URL structure, this doesn't guarantee
that we have no leak.
So to further protect Jenkins, we pass through a fake HttpServletRequest
that masks the values of the submission.
If the fake request is routed to HttpGitRepository, which is
the only legitimate destination of the request, we'll unwrap this fake request
and pass the real request to JGit.
In this way, even if an attacker manages to route the request to elsewhere in Jenkins, that request will not be interpreted as a POST request.
- Author:
- Kohsuke Kawaguchi
-
Nested Class Summary
Nested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionbooleanprocess(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain) static javax.servlet.http.HttpServletRequestunwrapRequest(javax.servlet.http.HttpServletRequest req) Methods inherited from class hudson.security.csrf.CrumbExclusion
all
-
Constructor Details
-
CSRFExclusionImpl
public CSRFExclusionImpl()
-
-
Method Details
-
process
public boolean process(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException - Specified by:
processin classCrumbExclusion- Throws:
IOExceptionjavax.servlet.ServletException
-
unwrapRequest
public static javax.servlet.http.HttpServletRequest unwrapRequest(javax.servlet.http.HttpServletRequest req)
-