Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-21134

Enhance GitHub integration webhook security

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem

      Github offers to secure repositories webhooks with a secret.Jira currently discards the headers HTTP_X_HUB_SIGNATURE_256 and HTTP_X_HUB_SIGNATURE causing any unidentified payload to trigger a Jira soft sync.

      Suggested Solution

      Take into consideration jira's HTTP_X_HUB_SIGNATURE_256 if the user chooses to define it.

      Either set a secret for webhooks on account creation in the DVCS menu so the value will be populated in all the repositories or allow to define a secret value after the creation.

      Why This Is Important

      Even that the impact of triggering a soft sync from an unknown webhook payload doesn't break anything it's still a security vulnerability if an unknown party can run an administrative task in an unauthorized manner.

          Form Name

            [JSWSERVER-21134] Enhance GitHub integration webhook security

            Johan Peeters added a comment -

            When smart commits is activated, you can also execute following actions:

            • comment on issues
            • record time tracking information against issues
            • transition issues to any status defined in the Jira Software project's workflow

            This has data integrity impact on Jira as you can manipulate the payload of this API.

            The API is even available without activating the DVCS integration, so all customers are impacted to my understanding.

            Johan Peeters added a comment - When smart commits is activated, you can also execute following actions: comment on issues record time tracking information against issues transition issues to any status defined in the Jira Software project's workflow This has data integrity impact on Jira as you can manipulate the payload of this API. The API is even available without activating the DVCS integration, so all customers are impacted to my understanding.

            Johan Peeters added a comment -

            Do note that with the change in version 8.14 of Jira (https://confluence.atlassian.com/jirakb/improving-the-dvcs-sync-performance-by-migrating-old-webhooks-to-the-new-format-1155487070.html), the impact is increased. It is not limited to triggering an administrative action as suggested over here.

            Johan Peeters added a comment - Do note that with the change in version 8.14 of Jira ( https://confluence.atlassian.com/jirakb/improving-the-dvcs-sync-performance-by-migrating-old-webhooks-to-the-new-format-1155487070.html ), the impact is increased. It is not limited to triggering an administrative action as suggested over here.

              Unassigned Unassigned
              f0ea184c9b1c Mohamed Kouki
              Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: