-
Suggestion
-
Resolution: Not a bug
-
None
Problem Definition
When non numeric values are sent in the timeDelta attribute in POST payload, Jira responds with HTTP 400 Bad Request and sends back the value in the response.
If the text includes JavaScript code, it will trick security scanner into reporting a reflected cross-site scripting (XSS) vulnerability.
Here's an example response text:
The analytics event passed through is in an invalid format. Detailed error message: Can not construct instance of long from String value '-1115<img src=javascript:alert(31342)>': not a valid Long value at [Source: org.apache.catalina.connector.CoyoteInputStream@49e376e6; line: 1, column: 962] (through reference chain: com.atlassian.analytics.client.browser.BrowserEventBean["timeDelta"])
Note that the JS code returned will not be rendered by the browser because the HTTP header is content-type: text/plain;charset=UTF-8 so the reflected XSS is a false positive.
Suggested Solution
Do not send the actual invalid long value.
Workaround
None
- mentioned in
-
Page Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSWSERVER-21260] The analytics URL /rest/analytics/1.0/publish/bulk should provide less details on HTTP 400 failures
| Labels | Original: security security-imported | New: resolved-in-vf security security-imported |
| Resolution | New: Not a bug [ 12 ] | |
| Status | Original: Gathering Interest [ 11772 ] | New: Closed [ 6 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 990301 ] |
| Labels | Original: security security-imported shouldBePrivate | New: security security-imported |
| Security | Original: Reporter and Atlassian Staff [ 10751 ] |
| Labels | Original: security security-imported | New: security security-imported shouldBePrivate |
| Security | New: Reporter and Atlassian Staff [ 10751 ] |
| Labels | Original: security | New: security security-imported |
| Labels | New: security |