CODEWITHSUNDEEP
jenkinscurlcsrfjenkins-groovy
Kandikuppa Vinod
Kandikuppa Vinod

Reputation: 67

Curl command to pass script line to get crumb value and execute my groovy script

I have tried the below command to execute my groovy in jenkins script console to disable CSRF in v2.222.2.

CRUMB=$(curl -u "$userName" 'https://jenkins-testcrumb.origin-elr-core-nonprod.com/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')

CRUMB_DISABLE=$(curl "$userName" "script=hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true" -H "$CRUMB" https://jenkins-testcrumb.origin-elr-core-nonprod.com/scriptText)

Error:

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 462 100 462 0 0 1002 0 --:--:-- --:--:-- --:--:-- 1004 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: kvinod5; Unknown error curl: (6) Could not resolve host: script=hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true; Unknown error 100 90 0 90 0 0 498 0 --:--:-- --:--:-- --:--:-- 498

Can someone help me how to get the soultion??

Upvotes: 1

Views: 1476

Answers (1)

Joep Weijers
Joep Weijers

Reputation: 1979

This will not work, use Api Tokens instead. The Jenkins upgrade documentation states:

Set the system property hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to true on startup to disable CSRF protection as well as the configuration UI for it. This is an unsupported option and may be removed in the future.

Which suggests that it already has to be set on startup, and can't be modified afterwards.

Furthermore there are several issues with what you are trying to achieve:

The error says that it can't find the host: script=hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true;, which points to your second curl call which is incorrect and should be: 

$(curl -u "$userName" --data-urlencode "script=hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true" -H "$CRUMB" https://jenkins-testcrumb.origin-elr-core-nonprod.com/scriptText)

This call will still fail with an invalid crumb, since Crumbs are no longer accepted for scripts. You should use an api token instead.

Furthermore to set a property, you need to call System.setProperty, so your script should be: 

"script=System.setProperty('hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION', 'true'"

But as mentioned before, the property is checked at startup time, so changing it later will not disable the Crumb system.

Upvotes: 1

Related Questions