Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-11159

Insight automation should be checking Webhook URLs against Jira Allow List

XMLWordPrintable

      Issue Summary

      Insight Automation should be checking if the URL specified in the endpoint of a Web Action automation rule is properly allowed in Jira Allow List. This is to prevent data being sent to third party players and data leak, as Automation Rules are not necessarily created by people with Jira Administrator permissions.

      Steps to Reproduce

      1. Set up and Automation Rule in Insight with a Web Action to a third-party endpoint
      2. Enable Jira Allow List

      Expected Results

      Data is not sent to the endpoint except if it's whitelist on Jira Allow List. This is already the behaviour of Automation for Jira (which can be enabled here) and out of the box for Automation (JSM built-in).

      Actual Results

      Insight sends the data to the endpoint, making this a security flaw of the tool.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            [JSDSERVER-11159] Insight automation should be checking Webhook URLs against Jira Allow List

            There are no comments yet on this issue.

              Unassigned Unassigned
              rbaldasso Rodrigo Baldasso
              Affected customers:
              1 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated: