Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67452

JIRA whitelist can't block rest api

    XMLWordPrintable

Details

    • 3
    • 3
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Summary

      JIRA Whitelist feature is not able to whitelist REST API 

      */rest/api/2/*

      Based on documentation https://confluence.atlassian.com/adminjiraserver079/configuring-the-whitelist-950289162.html, incoming whitelisting was designed for CORS only and was never intended to be a firewall for Jira and block incoming requests.

      Steps to reproduce

      1. Go to JIRA whitelist page
      2. Add "*/rest/api/2/*" with 'Wildcard expression' type.
      3. Test a URL and incoming is returning error means any REST URL is whitelisted:
      4. Run the command below: 
        curl -D- -u <username>:<password> GET "Content-Type: application/json" <BASE_URL>/rest/api/2/issue/<issue-key>

      Expected Results.

      JIRA whitelist should be able to stop any incoming request from the REST API URI

      Actual Results.

      We can see the results after run the curl command.

      Workaround

      Try other way to restrict REST API such as blocking the request through firewall or proxy

      Attachments

        1. whitelist-error.png
          201 kB
          John Chin

        Activity

          People

            Unassigned Unassigned
            ckimloong John Chin
            Votes:
            14 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated: