I would like to echo the sentiments of others in this thread, that a fix for Connect apps should be given higher priority than it would seem to have been given by Atlassian.
I appreciate that the future is Forge, but there are are lot of existing Connect apps and the migration path from Connect to Forge is yet to be defined.
Here’s our story…
Last year we were fortunate to enough to achieve Silver Marketplace Partner status.
In February this year we were advised by the Marketplace Team that in order to maintain this status we were required to register the app with the most installs into the Marketplace Bug Bounty Program; which we dutifully did.
The first submission to our bug bounty program was received recently, and of course it was in relation to the App Properties REST API.
Our app (which is a Confluence dynamic content macro) includes an admin page - that is, our atlassian-connect.json
descriptor file includes a configurePage
property, which activates the “Configure” button for our app in the Manage Apps screen. The page is appropriately scoped to user_is_admin
.
The configuration options that our admin page controls aren’t particularly sensitive (so exposing the values is not of any concern), but they do control how our app behaves so it would make sense to restrict who is allowed to update them, which the admin page does.
The admin page uses the App Properties REST API to store these settings under our apps key (/rest/atlassian-connect/1/addons/{app-key}/properties/config
), and retrieved by the macro when it is rendered on a Confluence page.
The security researcher who submitted the bug report correctly noted that it is trivial for someone who is not an admin to issue a PUT
request to the above endpoint and modify the settings, as the only restriction the API has is that a valid JWT for the Connect app must be provided (which any logged in user can easily obtain).
Naturally we paid the bounty on this bug report because it is a genuine security flaw in our app, but the fix for this will require us to migrate all existing customers settings out of app properties and store them in our own database.
Up until this point, we have (proudly) told our customers that we don’t store any of their data (aside from AddonSettings
table that atlassian-connect-express maintains for installs), but this forces us to change this claim. Admittedly there is no PII data, but in the age of GDPR we want to hold as little data from our customers as possible.
I can’t for the life of me think of why a REST API endpoint that is able to mutate a shared setting (shared by all users of the app) would not at least have the option to restrict who is allowed to modify it.
We are obviously going to proceed with our migration away from app properties, as our customers expect that any settings controlled through the admin page are secure and not able to be tampered with. But we genuinely feel that this is a fundamental security issue that should be fixed in the platform rather than in every Connect app, as I’m sure we aren’t the first app to have paid out a bug bounty for this exact security flaw.
Atlassian have a duty to ensure that the APIs they offer are secure and fit for purpose, and we don’t believe the App Properties REST API currently is.