Skip to content

security: pin Jira attachment download to the configured Jira host#12

Draft
tuyen-at-work with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-jira-attachment-download-issue
Draft

security: pin Jira attachment download to the configured Jira host#12
tuyen-at-work with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-jira-attachment-download-issue

Conversation

Copilot AI commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

downloadJiraAttachments sent the Jira Basic-auth header (email:PAT) to attachment.content — a URL taken verbatim from attacker-influenceable API metadata — with no host validation, allowing PAT exfiltration to an arbitrary host and SSRF against internal endpoints. GitHub and ADO providers already pin their hosts; Jira did not.

Changes

  • provider-jira.ts: Added assertSameJiraHost(), invoked per attachment before any auth header is sent. It rejects the content URL unless it parses cleanly, uses https:, and its host matches the configured JIRA_BASE_URL host.
  • provider-jira.test.ts (new): Regression tests mocking requestJson/requestBinary — off-host and non-HTTPS content URLs are rejected and assert requestBinary is never called; a valid on-host HTTPS URL is downloaded.
for (const attachment of images) {
  assertSameJiraHost(attachment.content); // throws before requestBinary sends the PAT
  const safeName = basename(attachment.filename);
  const outputPath = join(outputDir, safeName);
  const bytesWritten = await requestBinary(attachment.content, headers, outputPath);
  ...
}

Notes

  • Enforces https: in addition to host match, closing credential-over-cleartext downgrades.
  • Aligns with the allowlist mandate in skills/security/SKILL.md and the existing GitHub/ADO host-pinning pattern.

Copilot AI changed the title [WIP] Fix Jira attachment download without host validation security: pin Jira attachment download to the configured Jira host Jul 6, 2026
Copilot AI requested a review from tuyen-at-work July 6, 2026 03:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: Jira attachment download replays PAT to an API-supplied URL without host validation

2 participants