Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
8.6.0, 9.1.0, 9.10.0
-
8.06
-
2
-
Severity 2 - Major
-
1
-
Description
Issue Summary
When using the open-source Jira Python library to make REST API calls to Jira, if cookie-based authentication is used then Jira's rate limits will be bypassed. This can result in significant performance impacts due to the inability to limit scripted API requests.
This is reproducible on Data Center: yes
Steps to Reproduce
- Configure rate limiting in Jira to allow 1 request per 1 minute with burst size 1.
- Configure TRACE level logging for the com.atlassian.ratelimiting package.
- Install the Jira Python library and repeatedly run the following script, replacing JIRA_BASE_URL, USERNAME and PASSWORD as appropriate:
import jira myjira = jira.JIRA('https://JIRA_BASE_URL/',auth=('USERNAME','PASSWORD')) print(myjira.projects())
Expected Results
Rate limiting works as configured.
Actual Results
Rate limiting has no effect.
The Jira logs show that the requests made by Python are being treated as UI requests due to the presence of both the JSESSIONID and atlassian.xsrf.token cookies, which then bypasses rate limiting:
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Checking if rate limiting logic needs to be applied to user request: [/rest/api/2/project] 2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] All request headers: [[host, user-agent, accept, accept-encoding, cache-control, content-type, cookie, x-atlassian-token, x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto, x-forwarded-server, x-real-ip]], UI headers: [{}] (count: 0), UI cookies [{JSESSIONID=[FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF], atlassian.xsrf.token=[FFFF-FFFF-FFFF-FFFF_ffffffffffffffffffffffffffffffffffffffff_lin]}] (count: 2), is UI request: [true] 2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] Authorization: no header found 2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Request has passed rate limiting - continuing on...
Workaround
Configure the Jira Python library to use token-based authentication instead of cookie-based authentication - however, this requires the active cooperation of the user running the Python script.
Attachments
Issue Links
- duplicates
-
JSWSERVER-21473 Rate limiting does not work for Cookie based authorization
- Gathering Interest
- is related to
-
JRASERVER-70560 Initial requests cause subsequent requests to be not rate limited for some REST client tools
- Closed
- relates to
-
JRASERVER-72591 Rate limiting to perform agent specific evaluation
- Gathering Interest
-
VULN-1091874 Loading...
-
PSR-894 Loading...