It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Is it possible to restrict script runner functionality based on IP range?

Ward Minnis Dec 01, 2017

We recently had a security firm identify script runner as a security risk. Now I know that access to the plugin is already restricted to people with JIRA admin accounts but I am wondering if it is possible to restrict further based on IP for example? 


1 answer

0 votes
Nic Brough [Adaptavist] Community Leader Dec 01, 2017

Mmm.  Did your security firm mention other things in Jira that might be a risk? 

If they did not, then it's pretty clear that they don't really understand Jira and hence are not really to be trusted on the security of Jira (and probably the rest of the Atlassian stack either)

Ward Minnis Dec 04, 2017

Hi Nic, 

Thanks for your quick response. Yes, the security firm gave us a full laundry list of items, most were reasonable. :)

This is one of my few remaining items from that list and other than limiting the number of admins I can't see anything else to do with it. Hence the question.  

Nic Brough [Adaptavist] Community Leader Dec 04, 2017

Problem is the question tells me they don't understand what they're doing.  I'm not sure I can explain how a web application works to someone at that low level of understanding.

Ward Minnis Dec 05, 2017 • edited

I guess you can do IP whitelisting using an nginx reverse proxy to restrict access to the /plugins/servlet/scriptrunner/ route. I'll try that out and see if that works.

Nic Brough [Adaptavist] Community Leader Dec 05, 2017

That's mostly irrelevant, as most scriptrunner functions are available as scripts within the application.  /plugins/servlet/scriptrunner is probably around 1% of the app, and there's nothing to stop your admins creating new routes to it.

I think this discussion has really exposed a lack of understanding, which I don't want to waste your time on.

Rather than chase down increasingly obscure and pointless "fixes" which won't do anything, could we go back to the basics.

What, actually, is the problem?  Where do your security people think there is a security issue?  What does "they identify script runner as a security issue" really mean?

Try the five whys - "why is SR a security issue?".  What are the responses to the next four "why?" questions?

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published in Marketplace Apps & Integrations

Webinar alert! An IT Admin's Guide to Securing Collaboration at Scale

Hello, Atlassian Community! My name is Dave Meyer and I'm a Principal Product Manager at Atlassian. I wanted to give this community a heads up about an upcoming Webinar that might be of interest...

186 views 2 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you