Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

is it safe to open up FW between internal Jira and Github

Torbjörn Richter
Torbjörn Richter November 27, 2019

Hi

We are running Jira behind a FW and now dev wants to start using github with jira integration.

If we whitelist Github IPs, is that safe enough since its not possible to allow only certain github projects.

My concern is that anyone can create a github project and using that to jump to/access or execute code towards Jira.

 

anyone with experience of this? 

 

cheers

 

Answer
Watch
Like Be the first to like this
661 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 6, 2019

@Hey @Torbjörn Richter !

I've previously configured Jira Server instances with Github and can speak on this a bit. First, some assumptions:

  • You're looking at Github's listed IP addresses which can change from time to time. If you're statically whitelisting their IPs in your firewall, you may need to go back later and update the whitelist if you find the functionality has broken
  • The way you'll connect Jira with Github is with Jira's built-in DVCS connector

 

You'll probably also want to know what exactly can happen in Jira after it's connected to Github. I'd recommend reading Jira's "integrating with development tools" document if you have a moment, but I'll summarize the actions available:

  • Jira will list all the repos available to it in the DVCS connector page. You can check/uncheck these in Jira to sync their commits from Github
  • A "development" section will be available in the right-hand panel for issues in Jira. It will display information about code that mentions that Jira issue (commits, branches, pull requests, builds, etc).
  • You can configure Workflow Triggers in Jira to move issues through your workflow when particular actions happen in the repo
  • The Release Hub in Jira will show information about the commits from Github to help inform on a sprint's progress
  • IF you enable smart commits, Jira can be told to automatically transition an issue by using the commit messages in Github. With Smart Commits, the actions you can perform in Jira from a commit message are: comment on issues, record time tracking info, and transition issues.

All these actions take place in the Jira application through the DVCS connector - and you'll notice that it's mostly Jira "fetching" information from Github and not taking action (except Smart Commits, which you can disable if you are concerned). There's not really any mechanism for running anything on the actual underlying server.

Now let's get into the mechanics of how this is set up and secured. I think you'll be pleasantly surprised at the configuration!

Following the DVCS connector documentation, you'll see that you need to create a new OAuth token for the Github account/team you want to connect to Jira. This gives you a client ID and secret. These values are put in and saved in Jira, and are specific to that team/account in Github. Because Github is the OAuth provider here, encryption will be enforced for connections up to Github.

I'd also recommend that you ensure your Jira server is only serving connections to the Github over HTTPS - and I'd go the extra step to only allow connections on your local network over HTTPS as well if you haven't already. That's not specifically advice for connecting with Github, it's just general internet safety. Traffic to your applications should be encrypted in general :)

So - you have to specifically enable access for a particular Github account/team, and potentially decide even which repositories you want to sync from. Other people trying to connect to your Jira server from Github, even if they had your Jira server's URL, would not be able to initiate a connection TO your Jira Server. The integration uses authentication that is specific to a particular Github account/team, and you have to add the authentication information to your Jira instance as an administrator.

I hope that helps you feel better about the request, and please let me know if you have more questions about it!

Cheers,
Daniel

View More Comments
Torbjörn Richter
Torbjörn Richter December 19, 2019

Hi @Daniel Eads 

Sorry for late reply. I might have been unclear in my question. I dont doubt that the DVCS connector is secure. My question is more what can happen outside that connector since we open up for the github IPs. Im thinking what can be done from Github outside the connector. 

Im thinking, somone with a github project can execute api calls (outside the connector) towards our Jira, trying to guess the admin pwd for instance.

Lets say we are stupid enough to have admin:admin. then someone might be able to guess that and trough a github project access our Jira.

Before at least the FW stopped any attempts but now there is a way through, if you are on github IP.

 

I hope I explained a bit better now. :) 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events