[BAM-3239] REST API updateAndBuild.action can be abused if no IP address is specified

Type: Suggestion
Resolution: Obsolete
Fix Version/s: None
Component/s: REST API
Labels:
None

UIS:
0
Support reference count:
1
Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

currently no authorization is required - updateAndBuild.action is designed to work with repository scripts to push builds from the repository server. It is not designed to be used by 'users' from a random IP address. Thus the IP address of the repository has to be specified to make this command api call safe. Otherwise it is not safe and can be abused. The IP address field should not be optional. It should be dedicated to the repository IP address to avoid a possible remote attack.

is related to

BAM-3238 present a message to remote client if /api/rest/updateAndBuild.action?buildKey=PLAN-KEY did not trigger a build

Closed

relates to

BAM-3325 updateAndBuild API should be more normal

Closed

Bob Swift added a comment - 25/Nov/2008 1:48 PM

I disagree with statement about IP address field should not be optional. I believe that build plans should not have to specify this field with the assumption that anything coming from the source control server is ok (without authorization) and all others are denied. Coding in absolute IP addresses in build plans should be avoided as it is a maintenance burden.

Bob Swift added a comment - 25/Nov/2008 1:48 PM I disagree with statement about IP address field should not be optional . I believe that build plans should not have to specify this field with the assumption that anything coming from the source control server is ok (without authorization) and all others are denied. Coding in absolute IP addresses in build plans should be avoided as it is a maintenance burden.

Ulrich Kuhnhardt [Atlassian] added a comment - 25/Nov/2008 5:50 AM

https://support.atlassian.com/browse/BSP-1361

Ulrich Kuhnhardt [Atlassian] added a comment - 25/Nov/2008 5:50 AM https://support.atlassian.com/browse/BSP-1361

Assignee:: Unassigned

Reporter:: Ulrich Kuhnhardt [Atlassian]

Votes:: 1 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 25/Nov/2008 5:41 AM

Updated:: 19/Sep/2019 5:46 AM

Resolved:: 12/Apr/2019 10:46 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Bob Swift added a comment - 25/Nov/2008 1:48 PM

Expand comment: Bob Swift added a comment - 25/Nov/2008 1:48 PM

Collapse comment: Ulrich Kuhnhardt [Atlassian] added a comment - 25/Nov/2008 5:50 AM

Expand comment: Ulrich Kuhnhardt [Atlassian] added a comment - 25/Nov/2008 5:50 AM

People

Dates