In Jira Service Desk 4.6, we’re changing the restrictions on automation webhooks. Currently, when creating an automation rule you’re able to specify any URL as a target. Learn more at Send alerts with Jira Service Desk webhooks.
From Jira Service Desk 4.6, we’ll be restricting this to only URLs listed on the Jira system whitelist. We’re making this change to improve the security of your service desk.
Version(s) this change impacts
- Jira Service Desk 4.6.0 and onwards
What will I need to do?
To maintain current behavior, you’ll need to contact your Jira administrator and ask them to include in the system whitelist, the URLs your webhooks will be targeting.
If you’re a Jira administrator, you can find instructions on how to do this at Configuring the whitelist.
If you have questions
If you have any comments or questions, don’t hesitate in posting them here and we’ll take a look.
Regards,
Aidan Goldthorpe
Engineer, Jira Service Desk Team
2 Likes
This wasn’t mentioned in the 4.6 update or upgrade notes and led to an outage of our webhooks while we struggled to determine why Service Desk reported ‘success’ even though the webhooks weren’t working.
I can only find this post and the now-updated Documentation on the Webhooks.
1 Like
Below is query, which works for Server/DC, in case you want to grab all the webhooks currently in place in your automation rules, so you can review and add them to the whitelisting settings:
select
rsetrevision."CREATED_BY" as "Rule created by",
rsetrevision."DESCRIPTION" as "Rule description",
thenactioncfgdata."CONFIG_DATA_VALUE" as "Webhook URL"
from
"AO_9B2E3B_RULE" r
join "AO_9B2E3B_RULESET_REVISION" rsetrevision on r."RULESET_REVISION_ID" = rsetrevision."ID"
join "AO_9B2E3B_IF_THEN" ifthen on r."ID"=ifthen."RULE_ID"
join "AO_9B2E3B_THEN_ACTION_CONFIG" thenactioncfg on thenactioncfg."IF_THEN_ID"=ifthen."ID"
join "AO_9B2E3B_THEN_ACT_CONF_DATA" thenactioncfgdata on thenactioncfg."ID"= thenactioncfgdata."THEN_ACTION_CONFIG_ID"
and thenactioncfgdata."CONFIG_DATA_KEY" ilike '%url%';
The Webhooks should report a failure when they fail to be sent due to the allowlist.
1 Like
Hey Steve,
We have created a bug in our tracking system to improve this, as the automation rules should be indicating a failure when the URL is not in the whitelisting. You can track that bug below:
Cheers!
2 Likes