search

microsoft / PowerPlatformConnectors

This is a repository for Microsoft Power Automate, Power Apps, and Azure Logic Apps connectors
https://aka.ms/connectors
MIT License
975 stars 1.26k forks source link

JIRA Search (Independent Publisher) issue #2421

Open Arunchaube opened 1 year ago

Arunchaube commented 1 year ago

Api Name - shared_jirasearch

Bug description -

Is this a security bug? (Y/N)

What is the severity of this bug?

influential-eliot commented 3 months ago

Agreed, although it is clear to some, if you go to the details of this connector, the only thing that might indicate that this is not owned by Atlassian is the email address of the contact.

This is really insecure and dangerous, how did this connector get approved?

troystaylor commented 3 months ago

Hi @influential-eliot, I'd refer you to the documentation for the Independent Publisher program: https://learn.microsoft.com/en-us/connectors/custom-connectors/certification-submission-ip These community open-source connectors are certified by Microsoft for the Power Platform makers. They are neither insecure nor dangerous.

influential-eliot commented 3 months ago

Hi, @troystaylor , so you're saying that a page in the documentation which looks like this ... image ... won't have some folks thinking ... "Huh, he must work for Atlassian, and this is an Atlassian development of some kind?" ... because I know that I did before I did a bit more research on the connector. ( which might well be broken according to some of my searches ... but that's not something I'm concerned with right now )

Because I have a funny feeling that the URL for Paul's contact is not:

https://www.atlassian.com/software/jira ... and maybe Paul's Website is not ... https://www.atlassian.com/software/jira ... and possibly ... juuust possibly ... the Privacy Policy for Paul's connector is not located at ... https://www.atlassian.com/legal/privacy-policy

Plus, if the policies of submission allow anyone to submit with data like that, it's an awfully insecure policy up for abuse.

But ... OK ... I'll go just adding any old thing to have access to my company data. Cheers!

troystaylor commented 3 months ago

@influential-eliot I cannot believe you (or the partner you work for) haven't used a public API or an open-source project before. Paul is the publisher of the connector (not the API) and Atlassian is the owner of the API. You are welcome to investigate his connector code (https://github.com/microsoft/PowerPlatformConnectors/blob/dev/independent-publisher-connectors/JiraSearch/apiDefinition.swagger.json), but Microsoft has already done that for you.

influential-eliot commented 3 months ago

We're not talking about me, as I evidently have noted that the extension isn't official ... but then you know that, so, I think I'll wait for someone else to contribute to this. Thanks and goodbye.