-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 8.17.0
-
Component/s: REST API
-
None
-
8.17
-
3
-
Severity 3 - Minor
-
0
Issue Summary
Add field operation in issues details page, fails in Jira running behind Microsoft Azure Application Gateway's OWASP 3.0 core security rule. It looks for the request payload to be confirming to json, which the payload isn't.
Steps to Reproduce
- Enable Azure Application Gateway's OWASP 3.0 core security rule if possible.
- Try adding field from issue details page.
Expected Results
Operation "Add Field" should work as usual.
Actual Results
It blocks the call since the request payload does not confirm to json format.
Message that we get back from rule is below:
{ "resourceId": "xyz", "operationName": "ApplicationGatewayFirewall", "time": "2021-08-05T13:18:43.8437482Z", "category": "ApplicationGatewayFirewallLog", "properties": {
"instanceId": "ApplicationGatewayRole_IN_0",
"clientIp": "10.10.10.10",
"clientPort": "0",
"requestUri": "/rest/globalconfig/1/issuecustomfields/10100",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0",
"ruleId": "0",
"ruleGroup": "Default",
"message": "",
"action": "Matched",
"site": "Global",
"details": {
"message": "JSON parsing error: lexical error: invalid char in json text.",
"data": "",
"file": "",
"line": ""
},
"hostname": "jira.whatnot.com",
"transactionId": "123456789"
}}
Workaround
Try writing a rule that neglects this URL and overrides the main rule. Something as suggested in example here.
- is caused by
-
JRASERVER-28458 Improve JIRA compatibility with OWASP ModSecurity Core Rule Set (CRS)
- Gathering Interest
- mentioned in
-
Page Loading...