SECURITY-2470

timja · timja · commit 8b1e80e6f242 · 2021-08-23T09:00:45.000+01:00
diff --git a/src/main/frontend/index.ts b/src/main/frontend/index.ts
@@ -10,5 +10,9 @@ document.addEventListener('DOMContentLoaded', (_) => {
         .replace('configureSecurity/', '')
         .replace('configure', '');
 
-    Providers.globalProvider = new ProxyProvider(`${endStrippedCurrentUrl}/GraphProxy`);
+    Providers.globalProvider = new ProxyProvider(`${endStrippedCurrentUrl}/GraphProxy`, async () => {
+        return {
+            [document.head.dataset.crumbHeader as string]: document.head.dataset.crumbValue,
+        };
+    });
 })
diff --git a/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java b/src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java
@@ -701,7 +701,7 @@ public static final class CrumbExempt extends CrumbExclusion {
         public boolean process(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
                 throws IOException, ServletException {
             String pathInfo = request.getPathInfo();
-            if (pathInfo != null && (pathInfo.equals(CALLBACK_URL) || pathInfo.endsWith("GraphProxy/v1.0/$batch"))) {
+            if (pathInfo != null && pathInfo.equals(CALLBACK_URL)) {
                 chain.doFilter(request, response);
                 return true;
             }

Original file line number	Diff line number	Diff line change
`@@ -701,7 +701,7 @@ public static final class CrumbExempt extends CrumbExclusion {`
`701`	`701`	`public boolean process(HttpServletRequest request, HttpServletResponse response, FilterChain chain)`
`702`	`702`	`throws IOException, ServletException {`
`703`	`703`	`String pathInfo = request.getPathInfo();`
`704`		`- if (pathInfo != null && (pathInfo.equals(CALLBACK_URL) \|\| pathInfo.endsWith("GraphProxy/v1.0/$batch"))) {`
	`704`	`+ if (pathInfo != null && pathInfo.equals(CALLBACK_URL)) {`
`705`	`705`	`chain.doFilter(request, response);`
`706`	`706`	`return true;`
`707`	`707`	`}`