[Ci-users] Jenkins SafeRestart to add extra CSRF Protection 19-Apr-2016 14h30 UTC (09h30 EDT)

Colin Walters

walters at verbum.org
Sat May 21 13:31:48 UTC 2016


On Tue, Apr 19, 2016, at 09:54 AM, Brian Stinson wrote:
> Hi Folks,
> 
> In response to news of directed attacks against public Jenkins
> instances[0], we are enabling some of the CSRF protections in ci.centos.org

It looks like this also caused:

https://github.com/janinko/ghprb/issues/84

However I'm a bit confused - it seems like a lot more
people should be hitting this.  Perhaps people just aren't
turning on CSRF?

Then I also found
https://github.com/jenkinsci/ghprb-plugin/commit/cb8447f991aebe3de688d3548c451dd128e16900
which:
$ git describe --contains cb8447f991aebe3de688d3548c451dd128e16900
ghprb-1.28~3^2

So it *should* be in the 1.30.4 we're running according to
https://ci.centos.org/pluginManager/api/json?tree=plugins[shortName,version]

Did anyone else manage to get the ghprb hooks working?

(Aside, I was trying to work around this by using the raw `github` plugin's webhook
 which does work, but I couldn't quite figure out how to make a single job that builds
 multiple PRs be "stable", i.e. avoid retriggering for previously built PRs, plus in the
 end we do need a way to retrigger as ghprb handles)



More information about the CI-users mailing list