SQL Clone Request failed anti-forgery validation

Trying to setup Azure Dev Ops with SQL Clone tasks to delete image. Getting the following.

  1. Task : SQL Clone - Delete image
    Description : Delete images created by SQL Clone
    Version : 4.0.0
    Author : Redgate Software
    Connected to SQL Clone server
    Found image
    Deleting image
    ##[error]Request failed anti-forgery validation:
    Just had request with mismatched anti-forgery cookie and header to an anti-forgery protected URI [http://devapp01:14145/api/v1/images/2]
    Technical details: Forbidden received from server when performing DELETE /api/v1/images/2


  • SQL Clone Server uses double-submit cookie verification as a mitigation against cross-site request forgery. Although CSRF is a browser concern, our PowerShell cmdlets and therefore Azure DevOps extension also need to send requests that comply with that contract.

    This means that requests should have a header and a cookie set to matching values. The cmdlets and therefore extension that uses them sets these to constants. Is there any possibility that the headers or cookies are being transformed/stripped between the Azure DevOps agent and SQL Clone Server, perhaps by a proxy?
  • Cat_BillCat_Bill Posts: 7 New member
    There could be a proxy do to the connections between Azure and our servers. Is there a way to disable the check? I don't have control over the network.
  • Cat_BillCat_Bill Posts: 7 New member
    I was able to confirm there is no proxy!
  • Hm, interesting. This is a problem that we've heard of before with Azure DevOps, but haven't been able to explore properly.

    We could potentially explore this further with network tracing and/or a private build with some additional logging to see what headers/cookies we're receiving. Could you open a ticket with [email protected] and mention this conversation?
  • CAT_KeithCAT_Keith Posts: 3 New member
    After doing a lot of testing it appears the error is caused by not using the root web address for the SQL Clone interface on the local server as the Server URL.

    When launching the SQL Clone interface (Web browser page) it does a redirect to http://<servername>:14145/dashboard. If you have the /dashboard in the Server URL box in Azure DevOps it causes the above CSRF error.

    Once I removed the /dashboard it worked correctly. This must have been altering the cookie. Wanted to post an update, so this is documented and others don't have this issue.
  • Thanks for the update! That's really useful to hear about, and I'm glad it's now working.

    I'll have a look what options we have to prevent others getting into this situation in the future.
Sign In or Register to comment.