Open dmathnz opened 4 years ago
I am seeing the same. Jenkins version 2.190.1. Simple commands like Test-JenkinJob, Get-JenkinsJobList work, but Disable/Enable return returns the crumb error.
I have this too on PSv5 and Jenkins 2.303.1.
Cloudbees doc: https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained
PoC of a quick hack showing WebSession param is needed in Invoke-WebRequest: https://github.com/fsackur/jenkins/commit/a36f9abe6b455a08ea6106f65589dbd605621f57
I don't have an older Jenkins to test against, but I expect this not to cause issues with older servers that don't use the cookie jar.
How would the maintainers feel about a PR that:
To avoid breaking changes, we could leave the crumb params in place but emit a warning that they do nothing. The module already requires PSv5, so we can mark those params with [Parameter(DontShow)]
to hide them.
Issue
Jenkins 2.176.2 included a security fix for CSRF that requires a session id to be included with the crumb. https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626
This appears to break functions in the module that create or update Jenkins. Jenkins will return a 403 error with the message "Error 403 No valid crumb was included in the request"
Here is the full stack trace from New-JenkinsFolder:
This issue is dealing with the same problem. https://github.com/cdancy/jenkins-rest/issues/67
The sessionid is stored in a cookie called JSESSIONID.