JIRA whitelist can't block rest api

XMLWordPrintable

    • 2
    • 14

      Summary

      JIRA Whitelist feature is not able to whitelist REST API 

      */rest/api/2/*

      Based on documentation https://confluence.atlassian.com/adminjiraserver079/configuring-the-whitelist-950289162.html, incoming whitelisting was designed for CORS only and was never intended to be a firewall for Jira and block incoming requests.

      Steps to reproduce

      1. Go to JIRA whitelist page
      2. Add "*/rest/api/2/*" with 'Wildcard expression' type.
      3. Test a URL and incoming is returning error means any REST URL is whitelisted:
      4. Run the command below: 
        curl -D- -u <username>:<password> GET "Content-Type: application/json" <BASE_URL>/rest/api/2/issue/<issue-key>

      Expected Results.

      JIRA whitelist should be able to stop any incoming request from the REST API URI

      Actual Results.

      We can see the results after run the curl command.

      Workaround

      Try other way to restrict REST API such as blocking the request through firewall or proxy

        1. whitelist-error.png
          whitelist-error.png
          201 kB

            Assignee:
            Unassigned
            Reporter:
            John Chin (Inactive)
            Votes:
            13 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: