Adds a CrumbExclusion for the GitHub WebHook page

lukegb · lukegb · commit 5c2a04169171 · 2013-10-24T17:37:42.000+01:00
The GitHub webhook endpoint should not be protected by the CSRF protection
built into Jenkins. This commit adds a CrumbExclusion filter so that the endpoint
created by c.c.j.GitHubWebHook is not protected using the CSRF crumb protection scheme.

Bumps Jenkins API version minimum amount required for CrumbExclusion.
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>1.445</version>
+    <version>1.448</version>
   </parent>
 
   <groupId>com.coravy.hudson.plugins.github</groupId>
diff --git a/src/main/java/com/cloudbees/jenkins/GitHubWebHook.java b/src/main/java/com/cloudbees/jenkins/GitHubWebHook.java
@@ -37,6 +37,7 @@
 @Extension
 public class GitHubWebHook implements UnprotectedRootAction {
     private static final Pattern REPOSITORY_NAME_PATTERN = Pattern.compile("https?://([^/]+)/([^/]+)/([^/]+)");
+    public static final String URLNAME = "github-webhook";
 
     public String getIconFileName() {
         return null;
@@ -47,7 +48,7 @@ public String getDisplayName() {
     }
 
     public String getUrlName() {
-        return "github-webhook";
+        return URLNAME;
     }
 
     /**
diff --git a/src/main/java/com/cloudbees/jenkins/GitHubWebHookCrumbExclusion.java b/src/main/java/com/cloudbees/jenkins/GitHubWebHookCrumbExclusion.java
@@ -0,0 +1,32 @@
+package com.cloudbees.jenkins;
+
+import hudson.Extension;
+import hudson.security.csrf.CrumbExclusion;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.util.logging.Logger;
+
+@Extension
+public class GitHubWebHookCrumbExclusion extends CrumbExclusion {
+
+	private static final Logger LOGGER = Logger.getLogger("com.cloudbees.jenkins.GitHubWebHookCrumbExclusion");
+
+	@Override
+	public boolean process(HttpServletRequest req, HttpServletResponse resp, FilterChain chain) throws IOException, ServletException {
+		String pathInfo = req.getPathInfo();
+		if (pathInfo != null && pathInfo.equals(getExclusionPath())) {
+			chain.doFilter(req, resp);
+			return true;
+		}
+		return false;
+	}
+
+	public String getExclusionPath() {
+		return "/" + GitHubWebHook.URLNAME + "/";
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@`
`37`	`37`	`@Extension`
`38`	`38`	`public class GitHubWebHook implements UnprotectedRootAction {`
`39`	`39`	`private static final Pattern REPOSITORY_NAME_PATTERN = Pattern.compile("https?://([^/]+)/([^/]+)/([^/]+)");`
	`40`	`+ public static final String URLNAME = "github-webhook";`
`40`	`41`
`41`	`42`	`public String getIconFileName() {`
`42`	`43`	`return null;`
`@@ -47,7 +48,7 @@ public String getDisplayName() {`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`public String getUrlName() {`
`50`		`- return "github-webhook";`
	`51`	`+ return URLNAME;`
`51`	`52`	`}`
`52`	`53`
`53`	`54`	`/**`