[TIME-125] Security Risk when selecting the 'User' field on the Time Sheet Report

Issue #125 resolved
Andriy Zhdanov repo owner created an issue

We have downloaded and installed the plugin on a testkit however there is a security issue of exposing the complete system user list and e-mails when selecting the 'User' field on the Time Sheet Report as this exposes the list of ALL users in JIRA and not just those related to a particular project. Do you have a way around this security risk?

Regards,

Jo

By jooldbury/Jo Oldbury on Mon, 20 Dec 2010 08:09:26 -0800

Comments (6)

  1. Andriy Zhdanov reporter

    Could I also ask about the purpose of the "Show summary for filter (id)" in the dashboard's Pivot Table settings, which nobody would be aware of unless they exported a backup and looked inside?

    Thanks

    By jooldbury on Mon, 20 Dec 2010 08:11:03 -0800

  2. Andriy Zhdanov reporter

    1) This is system field (parameter), and should be common for all similar selectors. I guess it should be aware of permissions.

    2) In 'Show summary for filter (id)' you may want to specify filter Id, similarly to selecting filter in Pivot Report.

    By azhdanov on Mon, 20 Dec 2010 08:45:19 -0800

  3. Andriy Zhdanov reporter

    Thanks for your reply however are you able to comment on the following:

    (1) Under normal circumstances only users with project administration permissions would be able to see the complete list of system users, with the plugin, everyone can see the complete list. We are using V4.1.2.

    (2) The fields are not the same - one allows you to input the filter in textual format whereas the other requires that you know the ID given to it by the system.

    Thanks

    By jooldbury on Wed, 22 Dec 2010 01:38:47 -0800

  4. Andriy Zhdanov reporter

    1) Sorry, I can't fix it, this is provided by platform.

    2) Exactly, and it's quite tricky: leave 0 if not using filter; otherwise set it to id which can be found for example via using Pivot report with desired filter, it is requestId URL parameter.

    By azhdanov on Wed, 22 Dec 2010 04:23:09 -0800

  5. Andriy Zhdanov reporter

    Oh, this is really a security issue - if user "guesses" right any groupname, when editing group timesheet, he will get whole user list for this group, even when he does not have global permissions to browse users. Is this really provided by platform?

    By uldis.silins on Mon, 2 Apr 2012 07:15:45 -0700

  6. Andriy Zhdanov reporter

    Fixed security issue (group timesheet will not show anything without browse user permission) in 2.2.9 and 2.3.4
    Note, Pivot report may be considered as revealing users too, but I don't think it's worth to disable it similarly to group timesheet.

    By azhdanov on Sun, 15 Apr 2012 15:50:17 -0700

  7. Log in to comment