Details
Description
Issue Summary
When a admin edits a workflow from project settings page(plugins/servlet/project-config/FIR/workflows) on Jira environment that runs behind Microsoft Azure Application Gateway's OWASP 3.0 core security rule, the request gets blocked!
Steps to Reproduce
- Enable Microsoft Azure Application Gateway's OWASP 3.0 core security rule if possible.
- Edit a sample project work from project settings > workflow page.
Expected Results
Call to edit workflow /rest/api/2/mypreferences?key=workflow-mode should not get blocked.
Actual Results
Call to edit workflow gets blocked. Because the request payload not being in json format.
{ "resourceId": "xyz", "operationName": "ApplicationGatewayFirewall", "time": "2021-08-11T07:01:38.6064411Z", "category": "ApplicationGatewayFirewallLog", "properties": { "instanceId": "ApplicationGatewayRole_IN_0", "clientIp": "10.10.10.10", "clientPort": "0", "requestUri": "/rest/api/2/mypreferences?key=workflow-mode", "ruleSetType": "OWASP", "ruleSetVersion": "3.0", "ruleId": "0", "ruleGroup": "Default", "message": "Mandatory rule. Cannot be disabled. Failed to parse request body.", "action": "Blocked", "site": "Global", "details": { "message": "Access denied with code 400 (phase 2). Match of \"eq 0\" against \"REQBODY_ERROR\" required.", "data": "JSON parsing error: lexical error: invalid char in json text.\\x0a", "file": "", "line": "" }, "hostname": "jira.whatnot.com", "transactionId": "123456789" }}
Workaround
Try writing a rule that neglects this URL and overrides the main rule. Something as suggested in example here.
Attachments
Issue Links
- is caused by
-
JRASERVER-28458 Improve JIRA compatibility with OWASP ModSecurity Core Rule Set (CRS)
- Gathering Interest
- mentioned in
-
Page Loading...