Potential security issue with Jira and helm chart deployment

[uhagemann]

Hi! I would like to point out an edge case that creates a security problem with Jira. If the jar is copied to the tomcat lib folder instead of the right folder for P1 plugin jars, the functionality is there, but also the /monitoring URL is completely open. This is because isJira() will return false, when the jar is installed to the wrong spot, because the Jira classes are missing. This results in hasNotPermission also returning false, thus bypassing the permission mechanism. Maybe a preliminary check whether (jira || confluence || bitbucket || bamboo) yields falseand returning in that case would fix the problem. But, why should anyone install the jar to the wrong folder? Well, since the Jira DC Helm Charts currently do not specify how to deal with P1 plugins, and using the mechanism for P2 won't work with Jira, chances are you try the additionalLibraries - which leads to the case I described. There is a work-around using additionalVolumeMounts, but that's not documented yet.

[evernat]

P1 plugins are now documented at https://atlassian.github.io/data-center-helm-charts/userguide/CONFIGURATION/?h=additional#p1-plugins