Blocking access to URL patterns using the CloudBees Request Filter Plugin

2 minute readSecurity

You can block access to certain URL patterns that are known to be vulnerable using the CloudBees Request Filter Plugin.

Installing and configuring the CloudBees Request Filter Plugin on the operations center or a standalone controller

To install the CloudBees Request Filter Plugin:

  1. In CloudBees CI, select Manage Jenkins Manage Plugins.

  2. On the Available tab, type CloudBees Request Filter Plugin in the Filter field.

  3. Select the Install check box on the left of the plugin’s name.

  4. Scroll down the page and click Install without restart.

    After the plugin is installed, you can configure it to block URL patterns.

To configure the CloudBees Request Filter Plugin:

  1. Select Manage Jenkins Configure System.

  2. Scroll to the Request Filtering section, and then select Add Rule.

  3. In URI pattern, enter the regex pattern you want to block. For example:

    .*[/\\]upload[/\\].*("|%22).*[/\\](upload|complete).*

  4. Select Custom response.

    1. Under Response Code, enter 403.

    2. Verify that Content Type is text/html.

    3. Under Content, enter the following:

      <h1>Forbidden call</h1>
              For more information, please contact your system administrator
              or <a href="https://support.cloudbees.com">CloudBees Support</a>.
  5. Select Save.

Installing and configuring the CloudBees Request Filter Plugin on controllers in an operations center cluster

You can use a cluster operation to install and configure the CloudBees Request Filter Plugin on multiple controllers that are managed by an operations center.

To create a cluster operation:

  1. On the operations center, select New Item, and then enter a name for the operation.

  2. Select Cluster Operations.

  3. In the Target Managed controllers field, add the controllers on which you want to set up the plugin.

  4. Add the following steps:

    1. An Install plugin step with the plugin ID set to cloudbees-request-filter. Leave the Version field blank. Using no version instructs CloudBees CI to use the most recent plugin available for the given controller.

    2. An Execute Groovy Script on Controller step using the following script:

      import com.cloudbees.jenkins.plugins.requestfilter.*
      
      String mitigationPattern = '.*[/\\\\]upload[/\\\\].*("|%22).*[/\\\\](upload|complete).*'
      int responseCode = 403
      String responseContent =
      '''
      <h1>Forbidden call</h1>
              For more information, please contact your system administrator
              or <a href="https://support.cloudbees.com">CloudBees Support</a>.
      '''
      String responseContentType = 'text/html'
      
      // Let's preserve existing configuration, if any.
      // Also, this code is idempotent so we can run it multiple times without worrying we'd add X times the same config
      List<Rule> existingRules = new ArrayList(Rules.get().getRules()) // reinstantiation needed bc emptyList() is immutable
      
      if( existingRules.collect { rule -> rule.pattern }
                       .findAll { rulePattern -> mitigationPattern.equals(rulePattern) }
                       .isEmpty() )
      {
        println "mitigation pattern not found, adding it"
        Rule mitigationRule = new Rule(mitigationPattern)
        mitigationRule.setResponse(new Response(responseCode,responseContentType,responseContent))
        existingRules.add(mitigationRule)
        Rules.get().setRules(existingRules)
      } else {
        println 'mitigation pattern found, no-op'
      }
  5. Select Save, and then select Run.