如何通过JSON/JS在Jenkins中为CSRF添加面包屑 [英] How to add crumb for CSRF in Jenkins via JSON / JS

问题描述

我想在詹金斯(Jenkins)中通过API作业创建，但是我无法在詹金斯(Jenkins)中使用CSRF保护.我有一个面包屑，但idk如何将其附加到JSON或JavaScript中的url/request上，以通过POST方法获取数据传递.有任何想法吗?我只想使用JS而不使用JAVA.谢谢

I wanna create via API jobs in Jenkins, but i can't connect couse of CSRF protection in Jenkins. I got a crumb but idk how to attach it to the url/request in JSON or JavaScript to get data pass by POST method. Any ideas? I wanna make it only with JS, without using JAVA. Thanks

推荐答案

它应该很容易.要在詹金斯获得CSRF，您需要做的事情很少.

It should be easy enough. There are few things you are expected to do in order to get thru CSRF in Jenkins.

#1

获取有效的实际CSRF碎屑，为此您应该使用"/crumbIssuer "端点. AFAIK，这是一个受保护的端点，因此您应该使用API​​令牌或请求中的凭据对它进行身份验证的调用.这里我将如何使用JavaScript做到这一点:

Fetch an actual CSRF crumb that is valid and for that you should use "/crumbIssuer" endpoint. AFAIK, this is a protected endpoint and therefore you should make an authenticated call to it using either API Token or your credentials in the request. Here how would I do it in JavaScript:

// **** - is a placeholder for an auth token, replace it with yours
$.get({
    url: "https://my.jenkins.io/crumbIssuer/api/json",
    contentType: "application/json",
    headers: {
        "User-Agent": "my_js_script",
        "Authorization": "****"
    }
}).done(function(data) {
    // this is how you fetch valid & actual CSRF crumb
    console.log(data.crumbRequestField + " = " + data.crumb);
});

#2

现在，既然您已经掌握了有效的&实际的CSRF碎屑，请在詹金斯(Jenkins)修改状态的任何请求中发送.可以说，您的有效CSRF碎屑JSON看起来像这样:

Now, since you've got a handle on a valid & actual CSRF crumb, do send it with any request that modifies state in Jenkins. Lets say, your valid CSRF crumb JSON looks something like this:

{ "crumbRequestField": "Jenkins-Crumb", "crumb": "noop" }

，因此您的Ajax调用看起来像这样(请注意一个额外的"Jenkins-Crumb" HTTP标头):

and therefore your Ajax call would look somewhat like this (note an extra "Jenkins-Crumb" HTTP header):

// **** - is a placeholder for an auth token, replace it with yours
// simply activates a job in Jenkins, requirement for cloned jobs (aka. "Create-A-Copy-From")
$.post({
    url: "https://my.jenkins.io/job/my_job/description",
    contentType: "application/x-www-form-urlencoded; charset=UTF-8",
    headers: {
        "User-Agent": "my_js_script",
        "Authorization": "****",
        "Jenkins-Crumb": "noop" // makes CSRF filter in Jenkins happy
    },
    data: "description="
});

这些JavaScript片段不太可能完美，但希望能为您提供正确的方向.

These JavaScript snippets unlikely perfect, but hopefully give you the right direction.

我正在开发一个Jenkins API库，但使用Ruby的项目.如果您需要阅读一些实际能满足您需求的源代码，那么以下文件可能是您感兴趣的文件:

I'm working on a project that is Jenkins API library, but in Ruby. Here are some of the files that might be of interest in case you need to read some source code that actually does what you're looking for:

• jenkins-api/lib/jenkins/connection.rb (see "crumb method);
• jenkins-api/lib/jenkins/job.rb (see "activate_job" method);

这篇关于如何通过JSON/JS在Jenkins中为CSRF添加面包屑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！