Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to block Rest API unfiltered queries or API calls without field parameter

Makareswar Rout
Makareswar Rout October 12, 2021

How to Identify REST API URL patterns for  below conditions and blocks the request at load balancer  or HA proxy configuration.

  • request with unfiltered queries  with all fields search
  • calculated fields search

Example- : 

missing fields parameter
jira/rest/api/2/search?jql=project=JIRADEV

fields parameter requests all
jira/rest/api/2/search?fields=*all&jql=project=JIRADEV

no parameters 
jira/rest/api/2/search

 

 

Answer
Watch
Like # people like this
1300 views

1 answer

1 vote
Thomas Deiler
Thomas Deiler
Community Champion
October 14, 2021

Dear @Makareswar Rout ,

I think, what you are looking for is ACLs for HAProxy.

So long

Thomas

View More Comments
Makareswar Rout
Makareswar Rout October 14, 2021

Dear @Thomas Deiler  , Thanks for reply. Yes. However  I am looking for URL rewriting with multiple condition . If the the request is API request  and the request does not contains a specific  field parameter then it will be blocked at HA proxy or do a URL rewrite by replacing the url_param

example of pseudo code:

var default_fields_param = "type,summary,status,components,versions,fixVersions,resolution,customfield_13232"

if URL contains "rest/api/2/search" // it is a call to the Jira REST API, search method
{
if  url_param(field)=*all" // caller is specifically requesting all fields -- do not allow this
{
url_param(field)=${var default_fields_param}

}

if NOT  parameter contains "fields=" // call does not include a fields param - not allow this
{
append "&fields=" + default_fields_param  // or deny

}

 

However I am going to read the document and see if i can frame a ACL.

Like
Makareswar Rout
Makareswar Rout November 30, 2021

This is what worked for me:  

acl PATH_1 path_beg -i /rest/api/2/search
acl check_param url_sub fields=
acl field_all urlp_sub(fields) all
http-request deny deny_status 405 if PATH_1 !check_param
http-request deny deny_status 405 if PATH_1 field_all
http-request deny deny_status 405 if PATH_1 { url_param(fields) -m len eq 0 }

Like Thomas Deiler likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security