Package org.jenkinsci.plugins.gitserver
Class CSRFExclusionImpl
- java.lang.Object
-
- hudson.security.csrf.CrumbExclusion
-
- org.jenkinsci.plugins.gitserver.CSRFExclusionImpl
-
- All Implemented Interfaces:
ExtensionPoint
@Extension public class CSRFExclusionImpl extends CrumbExclusion
CSRF exclusion for git-upload-pack.We do some basic checks to significantly limit the scope of exclusion, but because of the dynamic nature of the URL structure, this doesn't guarantee that we have no leak. So to further protect Jenkins, we pass through a fake
HttpServletRequest
that masks the values of the submission.If the fake request is routed to
HttpGitRepository
, which is the only legitimate destination of the request, we'll unwrap this fake request and pass the real request to JGit.In this way, even if an attacker manages to route the request to elsewhere in Jenkins, that request will not be interpreted as a POST request.
- Author:
- Kohsuke Kawaguchi
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson
-
-
Constructor Summary
Constructors Constructor Description CSRFExclusionImpl()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
process(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain)
static javax.servlet.http.HttpServletRequest
unwrapRequest(javax.servlet.http.HttpServletRequest req)
-
Methods inherited from class hudson.security.csrf.CrumbExclusion
all
-
-
-
-
Method Detail
-
process
public boolean process(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
- Specified by:
process
in classCrumbExclusion
- Throws:
IOException
javax.servlet.ServletException
-
unwrapRequest
public static javax.servlet.http.HttpServletRequest unwrapRequest(javax.servlet.http.HttpServletRequest req)
-
-