Package org.jenkinsci.plugins.gitserver

Class CSRFExclusionImpl

  • All Implemented Interfaces:
    ExtensionPoint
    @Extension
public class CSRFExclusionImpl
extends CrumbExclusion
    CSRF exclusion for git-upload-pack.

    We do some basic checks to significantly limit the scope of exclusion, but because of the dynamic nature of the URL structure, this doesn't guarantee that we have no leak. So to further protect Jenkins, we pass through a fake HttpServletRequest that masks the values of the submission.

    If the fake request is routed to HttpGitRepository, which is the only legitimate destination of the request, we'll unwrap this fake request and pass the real request to JGit.

    In this way, even if an attacker manages to route the request to elsewhere in Jenkins, that request will not be interpreted as a POST request.

    Author:
    Kohsuke Kawaguchi

    • Constructor Detail

      • CSRFExclusionImpl

        public CSRFExclusionImpl()

    • Method Detail

      • process

        public boolean process​(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response,
                       javax.servlet.FilterChain chain)
                throws IOException,
                       javax.servlet.ServletException
        Specified by:
        process in class CrumbExclusion
        Throws:
        IOException
        javax.servlet.ServletException

      • unwrapRequest

        public static javax.servlet.http.HttpServletRequest unwrapRequest​(javax.servlet.http.HttpServletRequest req)