Uploaded image for project: 'Automation for Jira Server'
  1. Automation for Jira Server
  2. JIRAAUTOSERVER-476

"Write-Only" Authentication Secrets in "Send Web Request" Action

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • Actions
    • 0

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Any Authentication Secrets needed as part of configuring a "Send Web Request" Action have to be stored in a readable Header Key/Value field.  

      Community Documentation here: https://community.atlassian.com/t5/Jira-articles/Automation-for-Jira-Send-web-request-using-Jira-REST-API/ba-p/1443828 

       

      There should be specific "Write Only" fields for inputing authentication secrets so that they  can't be retrieved later (even via API).

       

      Currently, any user with access to view/edit Automations can:

      • Input arbitrary Authentication Secrets.
      • Exfiltrate any existing Authentication Secrets.
      • Utilize exfiltrated Secrets in unauthorized external systems.

       

      Partial Workaround:

      Disable "Allow project administrators to manage project rules" at https://<yourdomain>.atlassian.net/jira/settings/automation#/config

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          relates to

          A4J-3001 Loading...

          Activity

            People

              Unassigned Unassigned
              457798c92046 Gordon Thomas
              Votes:
              12 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated: