Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
3
-
3
-
Description
Summary
JIRA Whitelist feature is not able to whitelist REST API
*/rest/api/2/*
Based on documentation https://confluence.atlassian.com/adminjiraserver079/configuring-the-whitelist-950289162.html, incoming whitelisting was designed for CORS only and was never intended to be a firewall for Jira and block incoming requests.
Steps to reproduce
- Go to JIRA whitelist page
- Add "*/rest/api/2/*" with 'Wildcard expression' type.
- Test a URL and incoming is returning error means any REST URL is whitelisted:
- Run the command below:
curl -D- -u <username>:<password> GET "Content-Type: application/json" <BASE_URL>/rest/api/2/issue/<issue-key>
Expected Results.
JIRA whitelist should be able to stop any incoming request from the REST API URI
Actual Results.
We can see the results after run the curl command.
Workaround
Try other way to restrict REST API such as blocking the request through firewall or proxy