Low Issue Summary
When a admin edits a workflow from project settings page(plugins/servlet/project-config/FIR/workflows) on Jira environment that runs behind Microsoft Azure Application Gateway's OWASP 3.0 core security rule, the request gets blocked!
Steps to Reproduce
- Enable Microsoft Azure Application Gateway's OWASP 3.0 core security rule if possible.
- Edit a sample project work from project settings > workflow page.
Expected Results
Call to edit workflow /rest/api/2/mypreferences?key=workflow-mode should not get blocked.
Actual Results
Call to edit workflow gets blocked. Because the request payload not being in json format.
{ "resourceId": "xyz", "operationName": "ApplicationGatewayFirewall", "time": "2021-08-11T07:01:38.6064411Z", "category": "ApplicationGatewayFirewallLog", "properties": {
"instanceId": "ApplicationGatewayRole_IN_0",
"clientIp": "10.10.10.10",
"clientPort": "0",
"requestUri": "/rest/api/2/mypreferences?key=workflow-mode",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0",
"ruleId": "0",
"ruleGroup": "Default",
"message": "Mandatory rule. Cannot be disabled. Failed to parse request body.",
"action": "Blocked",
"site": "Global",
"details": {
"message": "Access denied with code 400 (phase 2). Match of \"eq 0\" against \"REQBODY_ERROR\" required.",
"data": "JSON parsing error: lexical error: invalid char in json text.\\x0a",
"file": "",
"line": ""
},
"hostname": "jira.whatnot.com",
"transactionId": "123456789"
}}
Workaround
Try writing a rule that neglects this URL and overrides the main rule. Something as suggested in example here.
- is caused by
-
JRASERVER-28458 Improve JIRA compatibility with OWASP ModSecurity Core Rule Set (CRS)
- Gathering Interest
- mentioned in
-
Page Loading...