The analytics URL /rest/analytics/1.0/publish/bulk should provide less details on HTTP 400 failures

XMLWordPrintable

      Problem Definition

      When non numeric values are sent in the timeDelta attribute in POST payload, Jira responds with HTTP 400 Bad Request and sends back the value in the response.

      If the text includes JavaScript code, it will trick security scanner into reporting a reflected cross-site scripting (XSS) vulnerability.

      Here's an example response text: 

      The analytics event passed through is in an invalid format.
Detailed error message:
Can not construct instance of long from String value '-1115<img src=javascript:alert(31342)>': not a valid Long value
at [Source: org.apache.catalina.connector.CoyoteInputStream@49e376e6; line: 1, column: 962] (through reference chain:
com.atlassian.analytics.client.browser.BrowserEventBean["timeDelta"])

      Note that the JS code returned will not be rendered by the browser because the HTTP header is content-type: text/plain;charset=UTF-8 so the reflected XSS is a false positive.

      Suggested Solution

      Do not send the actual invalid long value.

      Workaround

      None

            Assignee:
            Unassigned
            Reporter:
            Arbi Dridi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: