Permissions

Owned by Pablo Beltran (Unlicensed)
Last updated: Sept 23, 2020 by Pablo Beltran
2 min read

 

Security

Writing SQL+JQL queries from the console must be restricted to trusted users only to avoid Javascript injection attacks.

Since the 7.13.0 version access permissions are required for all the users except Jira administrators. 

Jira administrators can grant other users and groups via global permissions.

Running queries written by trusted users is safe.



Two global permissions must be configured to grant users to create and run queries:



  • SQL+JQL database console access: Grant users access the built-in web console to write, run and save queries.

  • SQL+JQL database JDCB connection: Grant users to connect to the app to run queries remotely via JDBC.


Auditing all the saved queries

SQL+JQL queries allow running Javascript. For this reason, access to the console must be restricted to trusted users only as a query could perform malicious actions on behalf of the user running it.

The attack would happen in this way:

  1. A malicious Jira user with access to the console writes a query to run malicious code.

  2. The query is saved in the console and generates a query id.

  3. The victim (another Jira user) runs the query from a gadget by executing it by its id.

Keep in mind that the app is safe because Jira users cannot write queries (except they are explicitly granted to do it) and the rest of the users can run them by they id only.

So the only way to perform an attack would be by saving the query previously.

The rest of the trusted users and Jira administrators can easily audit all the saved queries:

 

SELECT * FROM AUX.SAVEDQUERIES

 

ID

NAME

AUTHOR

MODIFIEDON

DESCRIPTION

QUERY

ID

NAME

AUTHOR

MODIFIEDON

DESCRIPTION

QUERY

364

folders

admin

2020-01-29 19:53:05.633

 

SELECT * FROM ZEPHYR.CYCLES c join ZEPHYR.CYCLEFOLDERS f on f.PROJECTID = c.PROJECTID and f.VERSIONID = c.VERSIONID and f.CYCLEID = c.ID where PROJECTKEY = 'MSP'

365

cycles

admin

2020-01-28 22:57:53.234

 

SELECT * FROM ZEPHYR.CYCLES where projectkey = 'MSP'

The query above will list all the saved queries, so it is easy to know who wrote them and what the query does.

It is not easy to hide this kind of attack since the code is public in some way and can be inspected for other trusted users and Jira administrators with no problem.

However, you may want to track the saved queries from time to time to verify that everything is ok.