How can we help you today? How can we help you today?

SQL Clone Request failed anti-forgery validation

Trying to setup Azure Dev Ops with SQL Clone tasks to delete image. Getting the following.

  1. Task : SQL Clone - Delete image
    Description : Delete images created by SQL Clone
    Version : 4.0.0
    Author : Redgate Software
    ==============================================================================
    Connected to SQL Clone server
    Found image
    Deleting image
    ##[error]Request failed anti-forgery validation:
    Just had request with mismatched anti-forgery cookie and header to an anti-forgery protected URI [http://devapp01:14145/api/v1/images/2]
    Technical details: Forbidden received from server when performing DELETE /api/v1/images/2
Bill
0

Comments

6 comments

Sort by
  • ChrisHurley
    SQL Clone Server uses double-submit cookie verification as a mitigation against cross-site request forgery. Although CSRF is a browser concern, our PowerShell cmdlets and therefore Azure DevOps extension also need to send requests that comply with that contract.

    This means that requests should have a header and a cookie set to matching values. The cmdlets and therefore extension that uses them sets these to constants. Is there any possibility that the headers or cookies are being transformed/stripped between the Azure DevOps agent and SQL Clone Server, perhaps by a proxy?
    ChrisHurley
    0
  • Cat_Bill
    There could be a proxy do to the connections between Azure and our servers. Is there a way to disable the check? I don't have control over the network.
    Cat_Bill
    0
  • Cat_Bill
    I was able to confirm there is no proxy!
    Cat_Bill
    0
  • ChrisHurley
    Hm, interesting. This is a problem that we've heard of before with Azure DevOps, but haven't been able to explore properly.

    We could potentially explore this further with network tracing and/or a private build with some additional logging to see what headers/cookies we're receiving. Could you open a ticket with support@red-gate.com and mention this conversation?
    ChrisHurley
    0
  • CAT_Keith
    After doing a lot of testing it appears the error is caused by not using the root web address for the SQL Clone interface on the local server as the Server URL.

    When launching the SQL Clone interface (Web browser page) it does a redirect to http://<servername>:14145/dashboard. If you have the /dashboard in the Server URL box in Azure DevOps it causes the above CSRF error.

    Once I removed the /dashboard it worked correctly. This must have been altering the cookie. Wanted to post an update, so this is documented and others don't have this issue.
    CAT_Keith
    0
  • ChrisHurley
    Thanks for the update! That's really useful to hear about, and I'm glad it's now working.

    I'll have a look what options we have to prevent others getting into this situation in the future.
    ChrisHurley
    0

Add comment

Please sign in to leave a comment.