We recently had a security firm identify script runner as a security risk. Now I know that access to the plugin is already restricted to people with JIRA admin accounts but I am wondering if it is possible to restrict further based on IP for example?
Thanks,
Mmm. Did your security firm mention other things in Jira that might be a risk?
If they did not, then it's pretty clear that they don't really understand Jira and hence are not really to be trusted on the security of Jira (and probably the rest of the Atlassian stack either)
Hi Nic,
Thanks for your quick response. Yes, the security firm gave us a full laundry list of items, most were reasonable. :)
This is one of my few remaining items from that list and other than limiting the number of admins I can't see anything else to do with it. Hence the question.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Problem is the question tells me they don't understand what they're doing. I'm not sure I can explain how a web application works to someone at that low level of understanding.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I guess you can do IP whitelisting using an nginx reverse proxy to restrict access to the /plugins/servlet/scriptrunner/ route. I'll try that out and see if that works.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That's mostly irrelevant, as most scriptrunner functions are available as scripts within the application. /plugins/servlet/scriptrunner is probably around 1% of the app, and there's nothing to stop your admins creating new routes to it.
I think this discussion has really exposed a lack of understanding, which I don't want to waste your time on.
Rather than chase down increasingly obscure and pointless "fixes" which won't do anything, could we go back to the basics.
What, actually, is the problem? Where do your security people think there is a security issue? What does "they identify script runner as a security issue" really mean?
Try the five whys - "why is SR a security issue?". What are the responses to the next four "why?" questions?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.