This sounds like a critical security issue in Jira to me.
1 Like
@jack @paul are you sure? Are you writing about entity properties like issue/project etc (https://developer.atlassian.com/cloud/jira/platform/jira-entity-properties/#jira-entity-properties). or add-on properties. In case of add-on properties (https://developer.atlassian.com/cloud/jira/platform/jira-entity-properties/#app-properties) it was not possible before. You couldn’t change it in console using AP.request. Did that change?
Hi @maciej.dudziak, I’m using add-on properties. I don’t know if anything has changed but my cloud apps used to just read and write the add-on properties from the admin config screen. I have, in the last week, starting keeping a backup of the setting on my server (as the source of truth).
When I changed them using a lower privilege user I just did a right-click and inspect on one of the apps lower security pages (when logged in as the lower privileged user). I then pasted the update statement (using AP.request) into the console and it updated them
Paul
@paul Ah you are right, those are only sandboxed but not protected
Addon properties used to only be read and writable when requests to the /rest/atlassian-connect/1/addon/{addon-key}/properties/{property-name} URL were made as the addon user for the connect app. I know this, because I kept forgetting to make requests to read them as the addon user, which would remind me that I had to.
The REST API docs now contain a warning saying not to trust those endpoints because any user logged into Jira can use AP.request from within the iframe of the app to read/write those app properties.
As a result, we no longer store sensitive data in app properties.
2 Likes
Yeah, I also remember it had worked liked that, now I am wondering when it was changed 