How can i restrict access to some rest api links

C Mouronval February 6, 2023

I have a data leak over the rest API of my jira server version 8.8.0.

I need to restrict the access to the following links:

/rest/api/2/dashboard?maxResults=100
/rest/api/2/projectCategory?maxResults=1000
/rest/api/2/resolution
/rest/config/1.0/directory
/rest/menu/latest/admin

After searching for a while, I still have no clue to how I'm supposed to prevent retrieving data from those links and  didn't manage to find a documentation about it.

Thanks for your valuable comments.

Have a nice day!

2 answers

1 accepted

2 votes
Answer accepted
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 6, 2023

Uhm, what do you mean by "data leak"? If you are concerned about Jira leaking data to unauthorized people, then you would want to raise a ticket with Atlassian to clarify the problem, however, I suspect this is more of a confusion than an actual security bug.

If you're adamant about this then personally I'd do it on reverse proxy (afaik you can't really "block" specific endpoints in tomcat without breaking the app). All in all I really don't think you need or want to do it though. This seems confusing to me.

C Mouronval February 6, 2023

I don't really know, my company works with a web security company and they identified those API links as data leaks.

To my eyes, it does not seem like that much of a data leak in any way, and i don't know what I can really do about it because as you said I think those links are necessary for the app behaves normally. 

Anyway, thank you for your advice and taking the time to answer me.

Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 6, 2023

Indeed many endpoints in Jira are accessible to anonymous users - but the key point being they show the data the anonymous user has access to. '/rest/api/2/dashboard' is the perfect example of that - if you're logged in you see a lot, if you're not logged in you see nothing or maybe a few, but those few must be shared with anonymous users (so a public sharing problem).

I can see why some application scanners could see "oh this returns 200 with json" as a problem, but indeed opening those endpoints you should see they contain no sensitive data.

There is a KBA for this https://confluence.atlassian.com/jirakb/how-to-control-anonymous-user-access-in-a-public-jira-instance-975031479.html leading to https://jira.atlassian.com/browse/JRASERVER-65521 which are both interesting reads.

0 votes
Ananjan_miniOrange March 19, 2024

Hi @C Mouronval 

I know it's a bit late, but I stumbled upon your post today and wanted to drop a quick comment.

I'm Ananjan from the miniOrange team. Just wanted to share that we have an app in the Atlassian marketplace that can help you easily address this use case. We have a feature called Restrict access to public APIs. If you are interested do give this app a try: Enhance API Security for Jira REST APIs with OAuth/API Token | Atlassian Marketplace

Suggest an answer

Log in or Sign up to answer