We recently had a security firm identify script runner as a security risk. Now I know that access to the plugin is already restricted to people with JIRA admin accounts but I am wondering if it is possible to restrict further based on IP for example?
Mmm. Did your security firm mention other things in Jira that might be a risk?
If they did not, then it's pretty clear that they don't really understand Jira and hence are not really to be trusted on the security of Jira (and probably the rest of the Atlassian stack either)
Thanks for your quick response. Yes, the security firm gave us a full laundry list of items, most were reasonable. :)
This is one of my few remaining items from that list and other than limiting the number of admins I can't see anything else to do with it. Hence the question.
Problem is the question tells me they don't understand what they're doing. I'm not sure I can explain how a web application works to someone at that low level of understanding.
I guess you can do IP whitelisting using an nginx reverse proxy to restrict access to the /plugins/servlet/scriptrunner/ route. I'll try that out and see if that works.
That's mostly irrelevant, as most scriptrunner functions are available as scripts within the application. /plugins/servlet/scriptrunner is probably around 1% of the app, and there's nothing to stop your admins creating new routes to it.
I think this discussion has really exposed a lack of understanding, which I don't want to waste your time on.
Rather than chase down increasingly obscure and pointless "fixes" which won't do anything, could we go back to the basics.
What, actually, is the problem? Where do your security people think there is a security issue? What does "they identify script runner as a security issue" really mean?
Try the five whys - "why is SR a security issue?". What are the responses to the next four "why?" questions?
Hello, Atlassian Community! My name is Dave Meyer and I'm a Principal Product Manager at Atlassian. I wanted to give this community a heads up about an upcoming Webinar that might be of interest...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events