Fix snippet generator with custom crumb header

lamaral · lamaral · commit 561e445a2e21 · 2024-02-27T19:10:20.000+01:00
The CSRF crumb header is configurable via the java property
hudson.security.csrf.requestfield.

When an instance overrides the header value with something different
than Jenkins-crumb, the snippet generator would use the hardcoded value,
causing a 403 to be returned.
diff --git a/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/Snippetizer/handle-prototype.js b/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/Snippetizer/handle-prototype.js
@@ -1,4 +1,4 @@
-function handlePrototype(url, crumb) {
+function handlePrototype(url) {
     buildFormTree(document.forms.config);
     // TODO JSON.stringify fails in some circumstances: https://gist.github.com/jglick/70ec4b15c1f628fdf2e9 due to Array.prototype.toJSON
     // TODO simplify when Prototype.js is removed
@@ -7,13 +7,11 @@ function handlePrototype(url, crumb) {
         return; // just a separator
     }
 
-    const headers = new Headers();
-    headers.append("Content-Type", "application/x-www-form-urlencoded");
-    headers.append("Jenkins-Crumb", crumb);
-
     fetch(url, {
         method: "POST",
-        headers: headers,
+        headers: crumb.wrap({
+            "Content-Type": "application/x-www-form-urlencoded"
+        }),
         body: "json=" + encodeURIComponent(json),
 
     })
@@ -37,9 +35,8 @@ document.addEventListener('DOMContentLoaded', () => {
 
     const generatePipelineScript = document.getElementById("generatePipelineScript");
     const url = generatePipelineScript.getAttribute("data-url");
-    const crumb = generatePipelineScript.getAttribute("data-crumb");
     generatePipelineScript.onclick = (_) => {
-        handlePrototype(url, crumb);
+        handlePrototype(url);
         return false;
     };
 
diff --git a/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/Snippetizer/index.jelly b/plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/Snippetizer/index.jelly
@@ -70,8 +70,7 @@ THE SOFTWARE.
                 <f:block>
                     <input type="button" id="generatePipelineScript" value="${%Generate Pipeline Script}"
                            class="submit-button primary"
-                           data-url="${rootURL}/${it.GENERATE_URL}"
-                           data-crumb="${h.getCrumb(request)}"/>
+                           data-url="${rootURL}/${it.GENERATE_URL}"/>
                     <f:textarea id="prototypeText" readonly="true" style="margin-top: 10px"/>
                     <l:copyButton text="" clazz="jenkins-hidden jenkins-!-margin-top-1"/>
                     <st:adjunct includes="org.jenkinsci.plugins.workflow.cps.Snippetizer.handle-prototype"/>
