Use GitHub Plugin hook instead of a custom hook

[deiga]

This is needed when behind a firewall and only a specific URL:PORT combination will work

[deiga]

Or just make the plugin use the same Hook as the GitHub plugin does?

[valdisrigdon]

Triggering off of the existing GitHub plugin hook makes the most sense assuming we can get the same information, but I haven't looked into what that entails or how it works.

[colinkinnek]

Any movement on this, or any other solution for #83?

[DavidTanner]

I don't understand this issue, can you please explain it against the plugin as it is currently coded.

[colinkinnek]

Sure no problem. Here is my understanding, which may be a little off.

When you enable CSRF protection in Jenkins, basically what happens is everyone gets a unique secret password (in a cookie) by browsing to the Jenkins site. Any http POST request that doesn't have the user's secret password gets rejected with a 403. Now, since Github is another server and isn't actually browsing the site, it has no way to retrieve one of these unique passwords. So its webhooks are always rejected.

To mitigate this issue, you have to have a webhook endpoint with CSRF checking disabled.

The GitHub plugin guys went through the process of implementing this. Hence the suggestion that you guys use that endpoint -- it would allow ghprb to further leverage their work (presumably) without a ton of dev time on your end.

So for now, I believe my choices are disable CSRF protection or abandon the webhook and poll for changes -- decided to poll for changes.

Save this issue, my experience with the plugin has been great so far!

[Sambhaji75]

We came across this same issue, is there a solution available now to use webhook with CSRF enabled?

[brianjmurrell]

Still no solution to this problem? Has nobody really been able to use github webhooks all of this time (this issue is over 4 years old)?

Or is there a solution in this ticket somewhere (or elsewhere) that I am just not understanding?

[pmeisen]

Totally agree with @brianjmurrell, maybe I just want to send a webhook to my jenkins without using the plugin? Why isn't there a way on GitHub to set additional headers or why isn't there a way to send the crumb information as parameter to Jenkins?

[jrichardsz]

@ip1981 saved my life :D

ip1981/bbprb#7 (comment)

Basically , we need to add a crumb exclusion in our custom UnprotectedRootAction (when you are developing your own jenkins webhook plugin)

Here is the original PR :

ip1981/bbprb@7149adb

And here is the code:

public class BitbucketHookReceiver
    extends CrumbExclusion implements UnprotectedRootAction {

  private static final String BITBUCKET_HOOK_URL = "bbprb-hook";
  private static final String BITBUCKET_UA = "Bitbucket-Webhooks/2.0";

  @Override
  public boolean process(HttpServletRequest req, HttpServletResponse resp,
                         FilterChain chain)
      throws IOException, ServletException {
    String pathInfo = req.getPathInfo();
    if (pathInfo != null && pathInfo.startsWith("/" + BITBUCKET_HOOK_URL)) {
      chain.doFilter(req, resp);
      return true;
    }
    return false;
  }

Finally a simple user and password as get parameter, could works like a shield for unauthorized requests!!

[samthebest]

Why isn't there a way on GitHub to set additional headers or why isn't there a way to send the crumb information as parameter to Jenkins?

Indeed! Any update on this? How to add headers to github webooks?!?!