Error loading react page that queries the guestAuth API when loading from artifacts

Avatar
Cschlitzkus
Created

We have a react app that creates a webpage we use as our status board.   It uses the guestAuth rest api to gets build status from lots of projects on our TeamCity server (2018.2.2).   

It now fails to load properly after we upgraded to 2018.2.2.   We were on a very old version where this was working before: 10.0.4.

 

The error I'm getting in teamcity-auth.log is: 

[2019-02-20 21:53:18,144] INFO [ http-nio-8111-exec-10] - Requests from build artifacts pages are restricted: Only requests to the same build's artifacts are allowed from the build artifacts. Referring page: "...react.html" Request details: GET '/guestAuth/app/rest/buildTypes/Graph/builds?locator=count%3A10%2Cstart%3A0&overrideAccept=application%2Fjson', from client IP (127.0.0.1:55868), no auth

 

So we had this setup running on our network.   We would log the guest account into teamcity - and load the react.html artifact from our the build - and it would display our status'.   Now we get nothing, but I found that error in the log. 


If we run this outside of teamcity - by downloading the artifacts - it seems to work ok - calling the guestAuth API.   

 

Is there anything we can change / update in our TeamCity config to get this to work like it did in the past?  


Thanks.

Votes

0

Share

1 comment
Avatar
Yegor Yarko
Created
Official comment

Hello,

Sorry for the inconvenience with the issue.

The behavior is a consequence of fixing a security issue where malicious build artifact displayed as HTML report can access the server on behalf of the user opening the report.

/guestAuth/ prefix works by authorizing as guest if no current user is present, but current user is used if present, so requests with /guestAuth/ are also affected by the fix.

It is possible to disable the protection via an internal property, but that way you will make your TeamCity server vulnerable, so I'd not recommend that approach. However, seems like there is no other workaround, unfortunately.
Send us a message via "Submit a request" button in the header if you still want to know the property.

Could you please detail the use case a bit more: why do you need to send REST API requests to TeamCity from a report tab?

Please sign in to leave a comment.