Jenkins (2.176.2+) - requests using CSRF require sessionid

[dmathnz]

Issue

• [ ] Version of PowerShell you're using: 5.1.16299.1146
• [ ] PowerShell host you're using (eg. Console Host, ISE, Visual Studio): Console
• [ ] Operating system you're running: Windows 10
• [ ] Version of Jenkins PowerShell Module you're using: 1.0.3.257

Jenkins 2.176.2 included a security fix for CSRF that requires a session id to be included with the crumb. https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626

This appears to break functions in the module that create or update Jenkins. Jenkins will return a 403 error with the message "Error 403 No valid crumb was included in the request"

Here is the full stack trace from New-JenkinsFolder:

Problem accessing /job/Stuff/job/Test/createItem. Reason:
    No valid crumb was included in the requestPowered by Jetty:// 9.4.z-SNAPSHOT
At C:\Users\****\Documents\WindowsPowerShell\Modules\Jenkins\1.0.3.257\Jenkins.psm1:1244 char:23
+             $result = Invoke-WebRequest 
+                       ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc 
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
ScriptHalted
At C:\Users\****\Documents\WindowsPowerShell\Modules\Jenkins\1.0.3.257\Jenkins.psm1:1261 char:17
+                 throw $RequestErrors[0].Exception
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], RuntimeException
    + FullyQualifiedErrorId : ScriptHalted

This issue is dealing with the same problem. https://github.com/cdancy/jenkins-rest/issues/67

The sessionid is stored in a cookie called JSESSIONID.

[JesseHermes]

I am seeing the same. Jenkins version 2.190.1. Simple commands like Test-JenkinJob, Get-JenkinsJobList work, but Disable/Enable return returns the crumb error.

[fsackur]

I have this too on PSv5 and Jenkins 2.303.1.

Cloudbees doc: https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained

PoC of a quick hack showing WebSession param is needed in Invoke-WebRequest: https://github.com/fsackur/jenkins/commit/a36f9abe6b455a08ea6106f65589dbd605621f57

I don't have an older Jenkins to test against, but I expect this not to cause issues with older servers that don't use the cookie jar.

[fsackur]

How would the maintainers feel about a PR that:

• Removes the -Crumb param from all commands
• Calls Get-JenkinsCrumb automatically as needed, and caches the crumbs, keying by server uri and username
• Injects the crumbs automatically

To avoid breaking changes, we could leave the crumb params in place but emit a warning that they do nothing. The module already requires PSv5, so we can mark those params with [Parameter(DontShow)] to hide them.