Add header to disable bitbucket xsrf

Fixes #465 which is caused by XSRF detection on Bitbucket server and cloud.
runatlantis · Feb 11, 2019 · 81693d7 · 81693d7
1 parent 45a6823
commit 81693d7
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/server/events/vcs/bitbucketcloud/client.go b/server/events/vcs/bitbucketcloud/client.go
@@ -179,13 +179,19 @@ func (b *Client) MergePull(pull models.PullRequest) error {
 	return err
 }
 
-// prepRequest adds the HTTP basic auth.
+// prepRequest adds auth and necessary headers.
 func (b *Client) prepRequest(method string, path string, body io.Reader) (*http.Request, error) {
 	req, err := http.NewRequest(method, path, body)
 	if err != nil {
 		return nil, err
 	}
 	req.SetBasicAuth(b.Username, b.Password)
+	if body != nil {
+		req.Header.Add("Content-Type", "application/json")
+	}
+	// Add this header to disable CSRF checks.
+	// See https://confluence.atlassian.com/cloudkb/xsrf-check-failed-when-calling-cloud-apis-826874382.html
+	req.Header.Add("X-Atlassian-Token", "no-check")
 	return req, nil
 }
 
@@ -194,9 +200,6 @@ func (b *Client) makeRequest(method string, path string, reqBody io.Reader) ([]b
 	if err != nil {
 		return nil, errors.Wrap(err, "constructing request")
 	}
-	if reqBody != nil {
-		req.Header.Add("Content-Type", "application/json")
-	}
 	resp, err := b.HTTPClient.Do(req)
 	if err != nil {
 		return nil, err

diff --git a/server/events/vcs/bitbucketserver/client.go b/server/events/vcs/bitbucketserver/client.go
@@ -246,13 +246,19 @@ func (b *Client) MergePull(pull models.PullRequest) error {
 	return err
 }
 
-// prepRequest adds the HTTP basic auth.
+// prepRequest adds auth and necessary headers.
 func (b *Client) prepRequest(method string, path string, body io.Reader) (*http.Request, error) {
 	req, err := http.NewRequest(method, path, body)
 	if err != nil {
 		return nil, err
 	}
 	req.SetBasicAuth(b.Username, b.Password)
+	if body != nil {
+		req.Header.Add("Content-Type", "application/json")
+	}
+	// Add this header to disable CSRF checks.
+	// See https://confluence.atlassian.com/cloudkb/xsrf-check-failed-when-calling-cloud-apis-826874382.html
+	req.Header.Add("X-Atlassian-Token", "no-check")
 	return req, nil
 }
 
@@ -261,9 +267,6 @@ func (b *Client) makeRequest(method string, path string, reqBody io.Reader) ([]b
 	if err != nil {
 		return nil, errors.Wrap(err, "constructing request")
 	}
-	if reqBody != nil {
-		req.Header.Add("Content-Type", "application/json")
-	}
 	resp, err := b.HTTPClient.Do(req)
 	if err != nil {
 		return nil, err