-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Issue Summary
Rate limiting evaluates if the requests are coming from UI by checking some cookies and headers. Some client libraries like https://pypi.org/project/jira/2.0.0/ keeps the cookies set from the server and following requests are evaluated as UI request and rate limiting is not applied. These requests are shown in the access logs as coming from python agent.
Steps to Reproduce
- Use the library specified or send back the cookie set two of cookie/header below
public static final String HEADER_ORIGIN = "origin"; public static final String HEADER_REFERER = "Referer"; public static final String COOKIE_SESSION_ID = "JSESSIONID"; public static final String COOKIE_CSRF_TOKEN = "atlassian.xsrf.token"
- Perform request to rate enabled Jira server
- Requests are evaluated as UI and not rate limited
Expected Results
Requests coming from specific agents like python are not evaluated as UI requests even if they meet the cookie/header criteria for the UI requests.
Actual Results
Requests are not limited and they can be seen as coming from python client in the access logs
192.168.20.55 272x228079x2 ****** [16/Jun/2021:04:32:05 +0200] "GET /jira/rest/api/2/field HTTP/1.0" 200 12393 161 "-" "python-requests/2.25.1" "1m3clon" 192.168.20.55 272x228080x2 ****** [16/Jun/2021:04:32:05 +0200] "GET /jira/rest/api/2/field HTTP/1.0" 200 12393 155 "-" "python-requests/2.25.1" "160ga5k"
Workaround
Only workaround is to make sure client does not send the cookie/header that will make the request evaluated as UI request.
- is related to
-
JRASERVER-76021 Using the Jira Python library to make REST API calls with cookie auth bypasses Jira rate limiting
- Needs Triage
- mentioned in
-
Page Loading...