Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

is it safe to open up FW between internal Jira and Github

Hi

We are running Jira behind a FW and now dev wants to start using github with jira integration.

If we whitelist Github IPs, is that safe enough since its not possible to allow only certain github projects.

My concern is that anyone can create a github project and using that to jump to/access or execute code towards Jira.

 

anyone with experience of this? 

 

cheers

 

1 answer

0 votes
Daniel Eads Atlassian Team Dec 06, 2019

@Hey @Torbjörn Richter !

I've previously configured Jira Server instances with Github and can speak on this a bit. First, some assumptions:

  • You're looking at Github's listed IP addresses which can change from time to time. If you're statically whitelisting their IPs in your firewall, you may need to go back later and update the whitelist if you find the functionality has broken
  • The way you'll connect Jira with Github is with Jira's built-in DVCS connector

 

You'll probably also want to know what exactly can happen in Jira after it's connected to Github. I'd recommend reading Jira's "integrating with development tools" document if you have a moment, but I'll summarize the actions available:

  • Jira will list all the repos available to it in the DVCS connector page. You can check/uncheck these in Jira to sync their commits from Github
  • A "development" section will be available in the right-hand panel for issues in Jira. It will display information about code that mentions that Jira issue (commits, branches, pull requests, builds, etc).
  • You can configure Workflow Triggers in Jira to move issues through your workflow when particular actions happen in the repo
  • The Release Hub in Jira will show information about the commits from Github to help inform on a sprint's progress
  • IF you enable smart commits, Jira can be told to automatically transition an issue by using the commit messages in Github. With Smart Commits, the actions you can perform in Jira from a commit message are: comment on issues, record time tracking info, and transition issues.

All these actions take place in the Jira application through the DVCS connector - and you'll notice that it's mostly Jira "fetching" information from Github and not taking action (except Smart Commits, which you can disable if you are concerned). There's not really any mechanism for running anything on the actual underlying server.

Now let's get into the mechanics of how this is set up and secured. I think you'll be pleasantly surprised at the configuration!

Following the DVCS connector documentation, you'll see that you need to create a new OAuth token for the Github account/team you want to connect to Jira. This gives you a client ID and secret. These values are put in and saved in Jira, and are specific to that team/account in Github. Because Github is the OAuth provider here, encryption will be enforced for connections up to Github.

I'd also recommend that you ensure your Jira server is only serving connections to the Github over HTTPS - and I'd go the extra step to only allow connections on your local network over HTTPS as well if you haven't already. That's not specifically advice for connecting with Github, it's just general internet safety. Traffic to your applications should be encrypted in general :)

So - you have to specifically enable access for a particular Github account/team, and potentially decide even which repositories you want to sync from. Other people trying to connect to your Jira server from Github, even if they had your Jira server's URL, would not be able to initiate a connection TO your Jira Server. The integration uses authentication that is specific to a particular Github account/team, and you have to add the authentication information to your Jira instance as an administrator.

I hope that helps you feel better about the request, and please let me know if you have more questions about it!

Cheers,
Daniel

Hi @Daniel Eads 

Sorry for late reply. I might have been unclear in my question. I dont doubt that the DVCS connector is secure. My question is more what can happen outside that connector since we open up for the github IPs. Im thinking what can be done from Github outside the connector. 

Im thinking, somone with a github project can execute api calls (outside the connector) towards our Jira, trying to guess the admin pwd for instance.

Lets say we are stupid enough to have admin:admin. then someone might be able to guess that and trough a github project access our Jira.

Before at least the FW stopped any attempts but now there is a way through, if you are on github IP.

 

I hope I explained a bit better now. :) 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Desk

The Complete Guide to Atlassian for ITSM

Hi Atlassian Community! This is Teresa from the Atlassian team. My colleague Paul Buffington @Buff and I are excited to share a brand new ITSM resource we’ve created – "The Complete Guide to At...

2,245 views 14 22
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you