Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can i restrict access to some rest api links

C Mouronval
C Mouronval
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 6, 2023

I have a data leak over the rest API of my jira server version 8.8.0.

I need to restrict the access to the following links:

/rest/api/2/dashboard?maxResults=100
/rest/api/2/projectCategory?maxResults=1000
/rest/api/2/resolution
/rest/config/1.0/directory
/rest/menu/latest/admin

After searching for a while, I still have no clue to how I'm supposed to prevent retrieving data from those links and  didn't manage to find a documentation about it.

Thanks for your valuable comments.

Have a nice day!

Answer
Watch
Like Be the first to like this
1683 views

2 answers

1 accepted

2 votes
Answer accepted
Radek Dostál
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2023

Uhm, what do you mean by "data leak"? If you are concerned about Jira leaking data to unauthorized people, then you would want to raise a ticket with Atlassian to clarify the problem, however, I suspect this is more of a confusion than an actual security bug.

If you're adamant about this then personally I'd do it on reverse proxy (afaik you can't really "block" specific endpoints in tomcat without breaking the app). All in all I really don't think you need or want to do it though. This seems confusing to me.

View More Comments
C Mouronval
C Mouronval
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 6, 2023

I don't really know, my company works with a web security company and they identified those API links as data leaks.

To my eyes, it does not seem like that much of a data leak in any way, and i don't know what I can really do about it because as you said I think those links are necessary for the app behaves normally. 

Anyway, thank you for your advice and taking the time to answer me.

Like
Radek Dostál
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2023

Indeed many endpoints in Jira are accessible to anonymous users - but the key point being they show the data the anonymous user has access to. '/rest/api/2/dashboard' is the perfect example of that - if you're logged in you see a lot, if you're not logged in you see nothing or maybe a few, but those few must be shared with anonymous users (so a public sharing problem).

I can see why some application scanners could see "oh this returns 200 with json" as a problem, but indeed opening those endpoints you should see they contain no sensitive data.

There is a KBA for this https://confluence.atlassian.com/jirakb/how-to-control-anonymous-user-access-in-a-public-jira-instance-975031479.html leading to https://jira.atlassian.com/browse/JRASERVER-65521 which are both interesting reads.

Like
Reply
0 votes
Ananjan_Mishra
Ananjan_Mishra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 19, 2024

Hi @C Mouronval 

I know it's a bit late, but I stumbled upon your post today and wanted to drop a quick comment.

I'm Ananjan from the miniOrange team. Just wanted to share that we have an app in the Atlassian marketplace that can help you easily address this use case. We have a feature called Restrict access to public APIs. If you are interested do give this app a try: Enhance API Security for Jira REST APIs with OAuth/API Token | Atlassian Marketplace

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.