Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-21260

The analytics URL /rest/analytics/1.0/publish/bulk should provide less details on HTTP 400 failures

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      When non numeric values are sent in the timeDelta attribute in POST payload, Jira responds with HTTP 400 Bad Request and sends back the value in the response.

      If the text includes JavaScript code, it will trick security scanner into reporting a reflected cross-site scripting (XSS) vulnerability.

      Here's an example response text: 

      The analytics event passed through is in an invalid format.
Detailed error message:
Can not construct instance of long from String value '-1115<img src=javascript:alert(31342)>': not a valid Long value
at [Source: org.apache.catalina.connector.CoyoteInputStream@49e376e6; line: 1, column: 962] (through reference chain:
com.atlassian.analytics.client.browser.BrowserEventBean["timeDelta"])

      Note that the JS code returned will not be rendered by the browser because the HTTP header is content-type: text/plain;charset=UTF-8 so the reflected XSS is a false positive.

      Suggested Solution

      Do not send the actual invalid long value.

      Workaround

      None

            [JSWSERVER-21260] The analytics URL /rest/analytics/1.0/publish/bulk should provide less details on HTTP 400 failures

            No work has yet been logged on this issue.

              Unassigned Unassigned
              adridi Arbi Dridi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: