Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-76021

Using the Jira Python library to make REST API calls with cookie auth bypasses Jira rate limiting

    XMLWordPrintable

Details

    Description

      Issue Summary

      When using the open-source Jira Python library to make REST API calls to Jira, if cookie-based authentication is used then Jira's rate limits will be bypassed. This can result in significant performance impacts due to the inability to limit scripted API requests.

      This is reproducible on Data Center: yes

      Steps to Reproduce

      1. Configure rate limiting in Jira to allow 1 request per 1 minute with burst size 1.
      2. Configure TRACE level logging for the com.atlassian.ratelimiting package.
      3. Install the Jira Python library and repeatedly run the following script, replacing JIRA_BASE_URL, USERNAME and PASSWORD as appropriate: 
        import jira

myjira = jira.JIRA('https://JIRA_BASE_URL/',auth=('USERNAME','PASSWORD'))

print(myjira.projects())

      Expected Results

      Rate limiting works as configured.

      Actual Results

      Rate limiting has no effect.

      The Jira logs show that the requests made by Python are being treated as UI requests due to the presence of both the JSESSIONID and atlassian.xsrf.token cookies, which then bypasses rate limiting:

      2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Checking if rate limiting logic needs to be applied to user request: [/rest/api/2/project]
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] All request headers: [[host, user-agent, accept, accept-encoding, cache-control, content-type, cookie, x-atlassian-token, x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto, x-forwarded-server, x-real-ip]], UI headers: [{}] (count: 0), UI cookies [{JSESSIONID=[FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF], atlassian.xsrf.token=[FFFF-FFFF-FFFF-FFFF_ffffffffffffffffffffffffffffffffffffffff_lin]}] (count: 2), is UI request: [true]
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] Authorization: no header found
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Request has passed rate limiting - continuing on...

      Workaround

      Configure the Jira Python library to use token-based authentication instead of cookie-based authentication - however, this requires the active cooperation of the user running the Python script.

      Attachments

        Issue Links

          duplicates

          Suggestion - JSWSERVER-21473 Rate limiting does not work for Cookie based authorization

          • Gathering Interest
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-70560 Initial requests cause subsequent requests to be not rate limited for some REST client tools

          • Low - Low priority issues
          • Closed
          relates to

          Suggestion - JRASERVER-72591 Rate limiting to perform agent specific evaluation

          • Gathering Interest

          VULN-1091874 Loading...

          PSR-894 Loading...

          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              8379abf86dad Marcus Fong
              Votes:
              7 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated: