Automation webhooks must be on the Jira system whitelist

agoldthorpe · October 29, 2019, 5:30am

In Jira Service Desk 4.6, we’re changing the restrictions on automation webhooks. Currently, when creating an automation rule you’re able to specify any URL as a target. Learn more at Send alerts with Jira Service Desk webhooks.

From Jira Service Desk 4.6, we’ll be restricting this to only URLs listed on the Jira system whitelist. We’re making this change to improve the security of your service desk.

Version(s) this change impacts

Jira Service Desk 4.6.0 and onwards

What will I need to do?

To maintain current behavior, you’ll need to contact your Jira administrator and ask them to include in the system whitelist, the URLs your webhooks will be targeting.

If you’re a Jira administrator, you can find instructions on how to do this at Configuring the whitelist.

If you have questions

If you have any comments or questions, don’t hesitate in posting them here and we’ll take a look.

Regards,
Aidan Goldthorpe
Engineer, Jira Service Desk Team

sfbehnke · July 14, 2020, 3:52pm

This wasn’t mentioned in the 4.6 update or upgrade notes and led to an outage of our webhooks while we struggled to determine why Service Desk reported ‘success’ even though the webhooks weren’t working.

I can only find this post and the now-updated Documentation on the Webhooks.

RodrigoBaldasso · January 12, 2021, 3:35pm

Below is query, which works for Server/DC, in case you want to grab all the webhooks currently in place in your automation rules, so you can review and add them to the whitelisting settings:

select 
rsetrevision."CREATED_BY" as "Rule created by",
rsetrevision."DESCRIPTION" as "Rule description",
thenactioncfgdata."CONFIG_DATA_VALUE" as "Webhook URL"
from 
"AO_9B2E3B_RULE" r
join "AO_9B2E3B_RULESET_REVISION" rsetrevision on r."RULESET_REVISION_ID" = rsetrevision."ID"
join "AO_9B2E3B_IF_THEN" ifthen on r."ID"=ifthen."RULE_ID"
join "AO_9B2E3B_THEN_ACTION_CONFIG" thenactioncfg on thenactioncfg."IF_THEN_ID"=ifthen."ID"
join "AO_9B2E3B_THEN_ACT_CONF_DATA" thenactioncfgdata on thenactioncfg."ID"= thenactioncfgdata."THEN_ACTION_CONFIG_ID"
and thenactioncfgdata."CONFIG_DATA_KEY" ilike '%url%';

steve.behnke · January 12, 2021, 9:30pm

The Webhooks should report a failure when they fail to be sent due to the allowlist.

RodrigoBaldasso · January 13, 2021, 9:51pm

Hey Steve,

We have created a bug in our tracking system to improve this, as the automation rules should be indicating a failure when the URL is not in the whitelisting. You can track that bug below:

[JSDSERVER-6955] Service Desk webhooks that fail indicate success - Create and track feature requests for Atlassian products.

Cheers!