Hi!
I would like to point out an edge case that creates a security problem with Jira. If the jar is copied to the tomcat lib folder instead of the right folder for P1 plugin jars, the functionality is there, but also the /monitoring URL is completely open. This is because isJira() will return false, when the jar is installed to the wrong spot, because the Jira classes are missing. This results in hasNotPermission also returning false, thus bypassing the permission mechanism. Maybe a preliminary check whether (jira || confluence || bitbucket || bamboo) yields falseand returning in that case would fix the problem.
But, why should anyone install the jar to the wrong folder? Well, since the Jira DC Helm Charts currently do not specify how to deal with P1 plugins, and using the mechanism for P2 won't work with Jira, chances are you try the additionalLibraries - which leads to the case I described. There is a work-around using additionalVolumeMounts, but that's not documented yet.
Hi! I would like to point out an edge case that creates a security problem with Jira. If the jar is copied to the tomcat lib folder instead of the right folder for P1 plugin jars, the functionality is there, but also the
/monitoringURL is completely open. This is becauseisJira()will returnfalse, when the jar is installed to the wrong spot, because the Jira classes are missing. This results inhasNotPermissionalso returningfalse, thus bypassing the permission mechanism. Maybe a preliminary check whether(jira || confluence || bitbucket || bamboo)yieldsfalseand returning in that case would fix the problem. But, why should anyone install the jar to the wrong folder? Well, since the Jira DC Helm Charts currently do not specify how to deal with P1 plugins, and using the mechanism for P2 won't work with Jira, chances are you try theadditionalLibraries- which leads to the case I described. There is a work-around usingadditionalVolumeMounts, but that's not documented yet.