Adding individual editors or viewers while editing dashboard shares breaks the UI with email obfuscation

XMLWordPrintable

    • 1

      Problem

      The combination of a CDN with email address obfuscation enabled is front facing Jira AND an instance with pre GPR change in user data ,having usernames as email address instead of the conventional GUID/sAMAccountName

      In this situation, Jira will hardcode the user_key values to a span as bellow as a first step of loading the servlet EditPortalPage then replace the values JIRAUSER10100 and JIRAUSER10101 with their respective user full name

      <span id="shares_data_editors" style="display:none;">[{&quot;type&quot;:&quot;user&quot;,&quot;rights&quot;:{&quot;value&quot;:3},&quot;param1&quot;:&quot;JIRAUSER10100&quot;},{&quot;type&quot;:&quot;user&quot;,&quot;rights&quot;:{&quot;value&quot;:3},&quot;param1&quot;:&quot;JIRAUSER10101&quot;}]</span>

      Meanwhile if the user was created on a date before GDPR changes , the user_key column of table app_user will hold an email.Once the page starts to render and injects the span with the email user_key the CDN mail obfuscation kicks in and corrupts the span value as bellow part of its job of securing email values

      <span id="shares_data_editors" style="display:none;">[{&quot;type&quot;:&quot;group&quot;,&quot;rights&quot;:{&quot;value&quot;:3},&quot;param1&quot;:&quot;XXX YYY - Global - AAAA - BBBB&quot;},{&quot;type&quot;:&quot;project&quot;,&quot;rights&quot;:{&quot;value&quot;:3},&quot;param1&quot;:&quot;15614&quot;},{&quot;type&quot;:&quot;user&quot;,&quot;rights&quot;:{&quot;value&quot;:3},&quot;param1&quot;:&quot;<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a5c6cXXXXXXcd3c4d6e5d6cac9c0d7c48bc6cac8">[email&#160;protected]</a>&quot;}]</span>

      Suggested Solution

      Update the logic behind EditPortalPage servlet and use proper ways of storing data temporarily, instead of hardcoding an array of users in the HTML rely on the dashboard ID to pull and store the list of shares using :

      • API endpoints
      • SQL queries
      • Use browser's storage instead of the page code
      • In memory arrays in JS
      • etc

      Why This Is Important

      Security

      • Since Jira doesn't convert the old user key values to the GDPR format more protection needs to be in place to hide the identifiers if the customers fail to hide them intentionally or not.

      Bug

      • Jira doesn't show the shares when the span is broken and the UI becomes unusable

      Code Quality

      • It might be an old way of loading the data but lazy loading can be done in a more efficient way without exposing sensitive information

      Workaround

      • Disable email address obfuscation for Jira's site
      • Bypass the CDN to access Jira over its base URL or individual nodes

            Assignee:
            Unassigned
            Reporter:
            Mohamed Kouki (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: