Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Non-admin user has access to updating project properties?

Ivan Hanak
Ivan Hanak August 31, 2021 edited

Hello community,

I would like to ask for assistance regarding a security of a connect app.

 

Firstly, a little big of context:

  • our app link is displayed in Jira Software in the project sidebar
  • a user can control, whether the link is displayed or hidden

This is accomplished by a module condition of `entity_property_equal_to` that toggles `enabled=true/false`.

 

The entity property is basically a "project property" that can be easily set/retrieved as so:

  • `PUT /rest/api/2/project/{projectIdOrKey}/properties/{propertyKey}`
  • `GET /rest/api/2/project/{projectIdOrKey}/properties/{propertyKey}`

Our app makes the http requests via AP.request() wrapper.

 

The problem occurs, when it comes to permissions.

The bug bounty team found out, that a user who lacks an administrative permission in Jira can easily open up the browser console and make a http request via AP.request() to update project properties (and basically enable/disable our plugin for any project).

Basically, here is probably no way how to secure updating the toggling properties from our app, because the wrapper `AP.request()` is available via the browser console and when having access to the browser console, the user can basically do whatever they like.

Is there any way or any advice you would give how to secure this?

Answer
Watch
Like Be the first to like this
369 views

1 answer

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 1, 2021

Hi Ivan,

I understand that you have an app in Jira Cloud and that some end users appear to be able to disable this app by changing a project property.  There is a REST API endpoint that users can also potentially use to call project properties over in PUT /rest/api/3/project/{projectIdOrKey}/properties/{propertyKey}.

I see that you have stated that these users are not administrators.  I just wanted to clarify that you don't need to be a Jira Admin or a site-admin to make this kind of change on a project level.  If the user has the project administrator access level, they can already make changes to project properties through that REST API endpoint.  I am not sure if this distinction is one you have considered yet.  But I wanted to bring this up because if that user does have the manage project role, then this behavior is expected.

Be that as it may, should you still find that even users without the project admin role (and other admin roles) can still make this call, I would suggest creating ticket over in https://ecosystem.atlassian.net/servicedesk/customer/portal/14/group/39/create/108

That page does suggest first posting to our developer community,

Have a development question, need advice, or encounter a development problem? Please use our developer community forums at https://community.developer.atlassian.com to get help from the community, including experienced community members and Atlassian staff. Only file an issue here if you have encountered a bug in one of our products or frameworks that is affecting your app in production, disrupting customer productivity.

but if this problem affects your app in production or customer productivity, then certainly create a bug here.

Andy

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
atlassian, team '25, conference, certifications, bootcamps, training experience, anaheim ca,

Want to make the most of Team ‘25?

Spend the day sharpening your skills in Atlassian Cloud Organization Admin or Jira Administration, then take the exam onsite. Already ready? Take one - or more - of 12 different certification exams while you’re in Anaheim at Team' 25.

Learn more
AUG Leaders

Upcoming Jira Events