Permissions
Â
Security
Writing SQL+JQL queries from the console must be restricted to trusted users only to avoid Javascript injection attacks.
Since the 7.13.0 version access permissions are required for all the users except Jira administrators.Â
Jira administrators can grant other users and groups via global permissions.
Running queries written by trusted users is safe.
Two global permissions must be configured to grant users to create and run queries:
SQL+JQL database console access: Grant users access the built-in web console to write, run and save queries.
SQL+JQL database JDCB connection: Grant users to connect to the app to run queries remotely via JDBC.
Auditing all the saved queries
SQL+JQL queries allow running Javascript. For this reason, access to the console must be restricted to trusted users only as a query could perform malicious actions on behalf of the user running it.
The attack would happen in this way:
A malicious Jira user with access to the console writes a query to run malicious code.
The query is saved in the console and generates a query id.
The victim (another Jira user) runs the query from a gadget by executing it by its id.
Keep in mind that the app is safe because Jira users cannot write queries (except they are explicitly granted to do it) and the rest of the users can run them by they id only.
So the only way to perform an attack would be by saving the query previously.
The rest of the trusted users and Jira administrators can easily audit all the saved queries:
Â
SELECT * FROM AUX.SAVEDQUERIES
Â
ID | NAME | AUTHOR | MODIFIEDON | DESCRIPTION | QUERY |
---|---|---|---|---|---|
364 | folders | admin | 2020-01-29 19:53:05.633 | Â | SELECT * FROM ZEPHYR.CYCLES c join ZEPHYR.CYCLEFOLDERS f on f.PROJECTID = c.PROJECTID and f.VERSIONID = c.VERSIONID and f.CYCLEID = c.ID where PROJECTKEY = 'MSP' |
365 | cycles | admin | 2020-01-28 22:57:53.234 | Â | SELECT * FROM ZEPHYR.CYCLES where projectkey = 'MSP' |
The query above will list all the saved queries, so it is easy to know who wrote them and what the query does.
It is not easy to hide this kind of attack since the code is public in some way and can be inspected for other trusted users and Jira administrators with no problem.
However, you may want to track the saved queries from time to time to verify that everything is ok.
Â
Â
Â
Â