Forge Permission Screen Fails to Mention External Sites

RomanStoffel · September 14, 2022, 4:54am

Hello.

I’ve noticed that Forge’s permission screen gets external permissions wrong?!.

The app has this permission descriptor:

permissions:
  scopes:
    - 'read:confluence-user'
    - 'storage:app'
  content:
    styles:
      - 'unsafe-inline'
    scripts:
      - 'unsafe-inline'
  external:
    fetch:
      backend:
        - '*'

However, on the permission screen, I get this set of permissions asked:

It says 0 external sites. Zero! The pure opposite on what the app actually does.

Am I understanding the permission screen wrong?

Update: I’ve created a bug [FRGE-816] - Ecosystem Jira.
Unless I’m missing something, this is imo quite a bad security bug. Because the app has more permissions that a customers things it has.

AdamMoore · September 14, 2022, 10:36pm

Hi Roman, thanks for raising. That definitely doesn’t look right. We’ll look into it.

AdamMoore · September 15, 2022, 4:03am

We’ve identified the problem and will get this fixed as a priority. Thanks for raising FRGE-816, we’ll keep it updated with progress.

AdamMoore · September 19, 2022, 5:30am

Hi Roman, thanks again for raising. This issue has now been resolved and the consent screen displays correctly.

Screen Shot 2022-09-19 at 5.26.40 PM

In future, it would be great if could raise any security issues directly via a ticket or the bug bounty program so they can be addressed even sooner.

JackWebb · March 26, 2024, 10:29pm

I’m encountering a similar issue myself where egress urls are not been added to the app consent screen External fetch URLs not showing on consent screen and fails to allow access