Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is it possible to restrict script runner functionality based on IP range?

Ward Minnis
Ward Minnis December 1, 2017

We recently had a security firm identify script runner as a security risk. Now I know that access to the plugin is already restricted to people with JIRA admin accounts but I am wondering if it is possible to restrict further based on IP for example? 

Thanks,

Answer
Watch
Like Be the first to like this
536 views

1 answer

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 1, 2017

Mmm.  Did your security firm mention other things in Jira that might be a risk? 

If they did not, then it's pretty clear that they don't really understand Jira and hence are not really to be trusted on the security of Jira (and probably the rest of the Atlassian stack either)

View More Comments
Ward Minnis
Ward Minnis December 4, 2017

Hi Nic, 

Thanks for your quick response. Yes, the security firm gave us a full laundry list of items, most were reasonable. :)

This is one of my few remaining items from that list and other than limiting the number of admins I can't see anything else to do with it. Hence the question.  

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 4, 2017

Problem is the question tells me they don't understand what they're doing.  I'm not sure I can explain how a web application works to someone at that low level of understanding.

Like
Ward Minnis
Ward Minnis December 5, 2017

I guess you can do IP whitelisting using an nginx reverse proxy to restrict access to the /plugins/servlet/scriptrunner/ route. I'll try that out and see if that works.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 5, 2017

That's mostly irrelevant, as most scriptrunner functions are available as scripts within the application.  /plugins/servlet/scriptrunner is probably around 1% of the app, and there's nothing to stop your admins creating new routes to it.

I think this discussion has really exposed a lack of understanding, which I don't want to waste your time on.

Rather than chase down increasingly obscure and pointless "fixes" which won't do anything, could we go back to the basics.

What, actually, is the problem?  Where do your security people think there is a security issue?  What does "they identify script runner as a security issue" really mean?

Try the five whys - "why is SR a security issue?".  What are the responses to the next four "why?" questions?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

    See all events