Forge custom fields with authorize in Forge app - which permission to use

danielwester · December 24, 2022, 11:02am

We’re using the Forge custom fields (and the /rest/api/3/app/field/value end point to update it). We’ve been told that we need to use the authorize api by Atlassian ( https://developer.atlassian.com/platform/forge/runtime-reference/authorize-api/ ) in order to verify that that app has access to update things (which seems odd to me since I would think get app/field/value end point should be implementing this) and the current user cannot call this…

So what permission should I be using to authorize against this end point? We don’t have write access to the jira issues (the end point doesn’t require this).

chhantyal · December 28, 2022, 6:28pm

We also got a ticket assigned by Eco Scanner bot. Like Daniel said:

It is not clear which permission to use to authorize.
Why do we need to authorize before sending a request?

chhantyal · January 9, 2023, 1:59pm

I guess our friends at Atlassian are still celebrating new year? Would be nice to get an update on this as deadline for ticket created by Eco Scanner bot is in February.

chhantyal · January 23, 2023, 9:55am

SLA approaching but no reply from Atlassian? Does anyone know is contact person for app security related tickets that Eco Scanner bot creates?

igorandri · January 24, 2023, 8:34pm

No idea. I marked mine as False positive and explained that we need to make a call as an app, and this call doesn’t take any user-specific input or context. They’ve been “reviewing” it for two weeks so far. At least, I’m not getting reminders to fix it anymore.

JoshuaWong · January 31, 2023, 9:35pm

For posteriority, there was a similar question about the authorization needed for the custom field APIs which I provided here: Help with security vulnerability in Forge app - #11 by JoshuaWong.

chhantyal · February 2, 2023, 11:12am

Hi @JoshuaWong
Could you please also fix the Jira automation comments? It posts comments with huge HTML body which totally spams the whole ticket:

div style="font-family: Helvetica; padding-right: 20px; font-size: 14px; line-height: 20px">    <table border="0" cellpadding="0" cellspacing="0" width="100%" bgcolor="#ffffff" class="table_shrink" align="center">        <tr>            <td rowspan="1" colspan="1">                <table width="520px" cellpadding="0" cellspacing="0" border="0" bgcolor="#ffffff" align="center" class="table_shrink">                    <tr>                        <td valign="top" rowspan="1" colspan="1">                            <table width="100%" cellpadding="0" cellspacing="0" border="0" bgcolor="#ffffff" class="table_shrink">                                <tr>                                    <td rowspan="1" colspan="1">                                        <div>                                            <table width="100%" cellpadding="0" cellspacing="0" border="0" bgcolor="#ffffff" class="table_shrink">                                                <tr>                                                    <td valign="top" align="center" style="padding-top: 30px; padding-bottom: 10px;" rowspan="1" colspan="1">                                                        <img src="https://wac-cdn.atlassian.com/dam/jcr:c20cf6d1-9568-4aba-9a16-dba24e1495de/Atlassian-blue-onecolor@2x-rgb.png" width="250" border="0" alt="Atlassian" style="display:block; color:#4c9ac9; align:center" align="middle" />                                                    </td>                                                </tr>                                            </table>                                        </div>                                    </td>                                </tr>                                <tr>                                    <td style="color:#cccccc; padding-top: 10px;" valign="top" rowspan="1" colspan="1">                                        <hr color="#cccccc" size="1" />                                    </td>                                </tr>                                <tr>                                    <td valign="top" align="left" rowspan="1" colspan="1">                                        <div></div>                                    </td>                                </tr>                                <tr>                                    <td valign="top" align="left" rowspan="1" colspan="1">        <div style="font-family: Helvetica; padding-right: 20px; font-size: 14px; line-height: 20px">            <div style="font-size: 15px; margin-bottom: 10px;"><p>Hi,</p><p><strong>AMS-21645</strong> is due <u>tomorrow</u>.Atlassian’s <a href="https://developer.atlassian.com/platform/marketplace/security-bugfix-policy/" target="_blank" rel="noopener">Security Bug Fix Policy</a> requires all partners to patch app vulnerabilities by the due date. Atlassian will take action according to our policy if the vulnerability is not patched by the end of the day. 
<p>As a reminder, you may contact the Ecosystem Security Team for help in addressing your vulnerability by commenting in the Jira Issue linked below, or creating a ticket through our <a href="https://ecosystem.atlassian.net/servicedesk/customer/portal/14/group/84/create/436" target="_blank" rel="noopener">Developer Support Service Desk.</a></p>
<p>Additionally, we've linked this vulnerability and your vulnerability dashboard below: <ul><li>Issue:<a rel="noopener" href="https://ecosystem.atlassian.net/browse/AMS-21645?from_email=true" target="_blank">AMS-21645</a><li>Dashboard:<a href="https://ecosystem.atlassian.net/secure/Dashboard.jspa?selectPageId=37167" target="_blank" rel="noopener">AMS Partner Dashboard</a></li></ul></p><p>Best, <br>Atlassian Ecosystem Security</p></div></div></td></tr></table></td></tr></table></td></tr></table></div>