Class: JiraScan

Inherits:

Object

• Object
• JiraScan

Defined in:

lib/jira_scan.rb

Constant Summary

VERSION =

'0.0.6'.freeze

Class Method Summary

• .detectJiraDashboard(url) ⇒ Boolean

  Check if URL is running Jira using Dashboard page.

• .detectJiraLogin(url) ⇒ Boolean

  Check if URL is running Jira using Login page.

• .devMode(url) ⇒ Boolean

  Check if dev mode is enabled.

• .getDashboards(url) ⇒ Array

  Retrieve list of dashboards.

• .getFieldNamesQueryComponentDefault(url) ⇒ Array

  Retrieve list of field names from QueryComponent!Default.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536 jira.atlassian.com/browse/JRACLOUD-75661.

• .getFieldNamesQueryComponentJql(url) ⇒ Array

  Retrieve list of field names from QueryComponent!Jql.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536.

• .getGadgets(url) ⇒ Array

  Retrieve list of installed gadgets jira.atlassian.com/browse/JRASERVER-72613.

• .getLinkedApps(url) ⇒ Array

  Retrieve list of linked applications jira.atlassian.com/browse/JRASERVER-64963 jira.atlassian.com/browse/JRACLOUD-64963.

• .getPopularFilters(url) ⇒ Array

  Retrieve list of popular filters jira.atlassian.com/browse/JRASERVER-23255.

• .getProjectCategories(url) ⇒ Array

  Retrieve list of project categories.

• .getProjects(url) ⇒ Array

  Retrieve list of projects.

• .getResolutions(url) ⇒ Array

  Retrieve list of resolutions.

• .getServerInfo(url) ⇒ Array

  Retrieve Jira software information.

• .getUsersFromUserPickerBrowser(url) ⇒ Array

  Retrieve list of users from UserPickerBrowser.

• .getVersionFromDashboard(url) ⇒ String

  Get Jira version from Dashboard page.

• .getVersionFromLogin(url) ⇒ String

  Get Jira version from Login page.

• .insecure ⇒ Object
• .insecure=(insecure) ⇒ Object
• .logger ⇒ Object
• .logger=(logger) ⇒ Object
• .metaInf(url) ⇒ Boolean

  Check if META-INF contents are accessible (CVE-2019-8442) jira.atlassian.com/browse/JRASERVER-69241.

• .restGroupUserPicker(url) ⇒ Boolean

  Check if unauthenticated access to REST GroupUserPicker is allowed (CVE-2019-8449) jira.atlassian.com/browse/JRASERVER-69796.

• .restUserPicker(url) ⇒ Boolean

  Check if unauthenticated access to REST UserPicker is allowed (CVE-2019-3403) jira.atlassian.com/browse/JRASERVER-69242.

• .sendHttpRequest(url) ⇒ Net::HTTPResponse

  Fetch URL.

• .userPickerBrowser(url) ⇒ Boolean

  Check if unauthenticated access to UserPickerBrowser.jspa is allowed.

• .userRegistration(url) ⇒ Boolean

  Check if account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup.

• .userServiceDeskRegistration(url) ⇒ Boolean

  Check if Jira Service Desk (part of Jira Service Management) account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup support.atlassian.com/jira-service-management-cloud/docs/customer-permissions-for-your-service-project-and-jira-site/.

• .viewUserHover(url) ⇒ Boolean

  Check if unauthenticated access to ViewUserHover.jspa is allowed (CVE-2020-14181) jira.atlassian.com/browse/JRASERVER-71560.

Class Method Details

.detectJiraDashboard(url) ⇒ Boolean

Check if URL is running Jira using Dashboard page

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 57

def self.detectJiraDashboard(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/Dashboard.jspa")

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.include?('JIRA')
end

.detectJiraLogin(url) ⇒ Boolean

Check if URL is running Jira using Login page

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 40

def self.detectJiraLogin(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}login.jsp")

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.include?('JIRA')
end

.devMode(url) ⇒ Boolean

Check if dev mode is enabled

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 146

def self.devMode(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest(url)

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.include?('<meta name="ajs-dev-mode" content="true">')
end

.getDashboards(url) ⇒ Array

Retrieve list of dashboards

Parameters:

• URL (String)

Returns:

• (Array) —

  list of dashboards

# File 'lib/jira_scan.rb', line 367

def self.getDashboards(url)
  url += '/' unless url.to_s.end_with? '/'
  max = 1_000
  res = sendHttpRequest("#{url}rest/api/2/dashboard?maxResults=#{max}")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('{"startAt"')
  return [] unless res.body.to_s.include?('id')
  return [] unless res.body.to_s.include?('name')

  JSON.parse(res.body.to_s, symbolize_names: true)[:dashboards].map { |d| [d[:id], d[:name]] }
rescue
  []
end

.getFieldNamesQueryComponentDefault(url) ⇒ Array

Retrieve list of field names from QueryComponent!Default.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536 jira.atlassian.com/browse/JRACLOUD-75661

Parameters:

• URL (String)

Returns:

• (Array) —

  list of field names

# File 'lib/jira_scan.rb', line 487

def self.getFieldNamesQueryComponentDefault(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/QueryComponent!Default.jspa")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('{"searchers"')

  searchers = JSON.parse(res.body.to_s)['searchers']
  return [] if searchers.empty?

  groups = searchers['groups']
  return [] if groups.empty?

  field_names = []
  groups.each do |g|
    g['searchers'].each do |s|
      field_names << s
    end
  end

  JSON.parse(field_names.to_json, symbolize_names: true).map { |f| [f[:name], f[:id], f[:key], f[:isShown].to_s, f[:lastViewed]] }
rescue
  []
end

.getFieldNamesQueryComponentJql(url) ⇒ Array

Retrieve list of field names from QueryComponent!Jql.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536

Parameters:

• URL (String)

Returns:

• (Array) —

  list of field names

# File 'lib/jira_scan.rb', line 521

def self.getFieldNamesQueryComponentJql(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/QueryComponent!Jql.jspa?jql=")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('{"searchers"')

  searchers = JSON.parse(res.body.to_s)['searchers']
  return [] if searchers.empty?

  groups = searchers['groups']
  return [] if groups.empty?

  field_names = []
  groups.each do |g|
    g['searchers'].each do |s|
      field_names << s
    end
  end

  JSON.parse(field_names.to_json, symbolize_names: true).map { |f| [f[:name], f[:id], f[:key], f[:isShown].to_s, f[:lastViewed]] }
rescue
  []
end

.getGadgets(url) ⇒ Array

Retrieve list of installed gadgets jira.atlassian.com/browse/JRASERVER-72613

Parameters:

• URL (String)

Returns:

• (Array) —

  list of installed gadgets

# File 'lib/jira_scan.rb', line 284

def self.getGadgets(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}rest/config/1.0/directory.json")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('{"categories"')

  gadgets = JSON.parse(res.body.to_s)['gadgets']
  return [] if gadgets.empty?

  JSON.parse(gadgets.to_json, symbolize_names: true).map { |g| [g[:title], g[:authorName], g[:authorEmail], g[:description]] }
rescue
  []
end

.getLinkedApps(url) ⇒ Array

Retrieve list of linked applications jira.atlassian.com/browse/JRASERVER-64963 jira.atlassian.com/browse/JRACLOUD-64963

Parameters:

• URL (String)

Returns:

• (Array) —

  list of linked applications

# File 'lib/jira_scan.rb', line 462

def self.getLinkedApps(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}rest/menu/latest/admin")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('[{"key"')
  return [] unless res.body.to_s.include?('link')
  return [] unless res.body.to_s.include?('label')
  return [] unless res.body.to_s.include?('applicationType')

  JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:link], r[:label], r[:applicationType]] }
rescue
  []
end

.getPopularFilters(url) ⇒ Array

Retrieve list of popular filters jira.atlassian.com/browse/JRASERVER-23255

Parameters:

• URL (String)

Returns:

• (Array) —

  list of popular filters

# File 'lib/jira_scan.rb', line 344

def self.getPopularFilters(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/ManageFilters.jspa?filter=popular&filterView=popular")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.include?('<h1>Manage Filters</h1>')

  return res.body.to_s.scan(%r{requestId=\d+">(.+?)</a>}) if res.body.to_s =~ /requestId=\d/
  return res.body.to_s.scan(%r{filter=\d+">(.+?)</a>}) if res.body.to_s =~ /filter=\d/

  []
rescue
  []
end

.getProjectCategories(url) ⇒ Array

Retrieve list of project categories

Parameters:

• URL (String)

Returns:

• (Array) —

  list of project categories

# File 'lib/jira_scan.rb', line 437

def self.getProjectCategories(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}rest/api/2/projectCategory")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('[{"self"')
  return [] unless res.body.to_s.include?('id')
  return [] unless res.body.to_s.include?('name')
  return [] unless res.body.to_s.include?('description')

  JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:id], r[:name], r[:description]] }
rescue
  []
end

.getProjects(url) ⇒ Array

Retrieve list of projects

Parameters:

• URL (String)

Returns:

• (Array) —

  list of projects

# File 'lib/jira_scan.rb', line 413

def self.getProjects(url)
  url += '/' unless url.to_s.end_with? '/'
  max = 1_000
  res = sendHttpRequest("#{url}rest/api/2/project?maxResults=#{max}")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('[{"expand"')
  return [] unless res.body.to_s.include?('id')
  return [] unless res.body.to_s.include?('key')
  return [] unless res.body.to_s.include?('name')

  JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:id], r[:key], r[:name]] }
rescue
  []
end

.getResolutions(url) ⇒ Array

Retrieve list of resolutions

Parameters:

• URL (String)

Returns:

• (Array) —

  list of resolutions

# File 'lib/jira_scan.rb', line 390

def self.getResolutions(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}rest/api/2/resolution")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('[{"self"')
  return [] unless res.body.to_s.include?('id')
  return [] unless res.body.to_s.include?('name')
  return [] unless res.body.to_s.include?('description')

  JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:id], r[:name], r[:description]] }
rescue
  []
end

.getServerInfo(url) ⇒ Array

Retrieve Jira software information

Parameters:

• URL (String)

Returns:

• (Array) —

  Jira software information

# File 'lib/jira_scan.rb', line 126

def self.getServerInfo(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}rest/api/latest/serverInfo")

  return [] unless res
  return [] unless res.code.to_i == 200
  return [] unless res.body.to_s.start_with?('{"baseUrl"')

  JSON.parse(res.body.to_s, symbolize_names: true)
rescue
  []
end

.getUsersFromUserPickerBrowser(url) ⇒ Array

Retrieve list of users from UserPickerBrowser

Parameters:

• URL (String)

Returns:

• (Array) —

  list of first 1,000 users

# File 'lib/jira_scan.rb', line 217

def self.getUsersFromUserPickerBrowser(url)
  url += '/' unless url.to_s.end_with? '/'
  max = 1_000
  res = sendHttpRequest("#{url}secure/popups/UserPickerBrowser.jspa?max=#{max}")

  return [] unless res && res.code.to_i == 200 && res.body.to_s.include?('<h1>User Picker</h1>')

  users = []
  if res.body.to_s.include? 'cell-type-email'
    res.body.to_s.scan(%r{<td data-cell-type="name" class="user-name">(.*?)</td>\s+<td data-cell-type="fullname" >(.*?)</td>\s+<td data-cell-type="email" class="cell-type-email">(.*?)</td>}m).each do |u|
      users << u
    end
  else
    res.body.to_s.scan(%r{<td data-cell-type="name" class="user-name">(.*?)</td>\s+<td data-cell-type="fullname" >(.*?)</td>}m).each do |u|
      users << u
    end
  end

  users
rescue
  []
end

.getVersionFromDashboard(url) ⇒ String

Get Jira version from Dashboard page

Parameters:

• URL (String)

Returns:

• (String) —

  Jira version

# File 'lib/jira_scan.rb', line 74

def self.getVersionFromDashboard(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/Dashboard.jspa")

  return unless res
  return unless res.code.to_i == 200

  version = res.body.to_s.scan(%r{<meta name="ajs-version-number" content="([\d\.]+)">}).flatten.first
  build = res.body.to_s.scan(%r{<meta name="ajs-build-number" content="(\d+)">}).flatten.first

  unless version && build
    return unless res.body.to_s =~ /Version: ([\d\.]+)-#(\d+)/
    version = Regexp.last_match(1)
    build = Regexp.last_match(2)
  end

  "#{version}-##{build}"
end

.getVersionFromLogin(url) ⇒ String

Get Jira version from Login page

Parameters:

• URL (String)

Returns:

• (String) —

  Jira version

# File 'lib/jira_scan.rb', line 100

def self.getVersionFromLogin(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}login.jsp")

  return unless res
  return unless res.code.to_i == 200

  version = res.body.to_s.scan(%r{<meta name="ajs-version-number" content="([\d\.]+)">}).flatten.first
  build = res.body.to_s.scan(%r{<meta name="ajs-build-number" content="(\d+)">}).flatten.first

  unless version && build
    return unless res.body.to_s =~ /Version: ([\d\.]+)-#(\d+)/
    version = Regexp.last_match(1)
    build = Regexp.last_match(2)
  end

  "#{version}-##{build}"
end

.insecure ⇒ Object

# File 'lib/jira_scan.rb', line 25

def self.insecure
  @insecure ||= false
end

.insecure=(insecure) ⇒ Object

# File 'lib/jira_scan.rb', line 29

def self.insecure=(insecure)
  @insecure = insecure
end

.logger ⇒ Object

# File 'lib/jira_scan.rb', line 17

def self.logger
  @logger
end

.logger=(logger) ⇒ Object

# File 'lib/jira_scan.rb', line 21

def self.logger=(logger)
  @logger = logger
end

.metaInf(url) ⇒ Boolean

Check if META-INF contents are accessible (CVE-2019-8442) jira.atlassian.com/browse/JRASERVER-69241

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 326

def self.metaInf(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}s/#{rand(36**6).to_s(36)}/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml")

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.start_with?('<project')
end

.restGroupUserPicker(url) ⇒ Boolean

Check if unauthenticated access to REST GroupUserPicker is allowed (CVE-2019-8449) jira.atlassian.com/browse/JRASERVER-69796

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 266

def self.restGroupUserPicker(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}rest/api/2/groupuserpicker")

  return false unless res
  return false unless res.code.to_i == 400

  res.body.to_s.include?('The username query parameter was not provided')
end

.restUserPicker(url) ⇒ Boolean

Check if unauthenticated access to REST UserPicker is allowed (CVE-2019-3403) jira.atlassian.com/browse/JRASERVER-69242

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 248

def self.restUserPicker(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}rest/api/2/user/picker")

  return false unless res
  return false unless res.code.to_i == 400

  res.body.to_s.include?('The username query parameter was not provided')
end

.sendHttpRequest(url) ⇒ Net::HTTPResponse

Fetch URL

Parameters:

• URL (String)

Returns:

• (Net::HTTPResponse) —

  HTTP response

# File 'lib/jira_scan.rb', line 554

def self.sendHttpRequest(url)
  target = URI.parse(url)
  @logger.info("Fetching #{target}")

  http = Net::HTTP.new(target.host, target.port)
  if target.scheme.to_s.eql?('https')
    http.use_ssl = true
    http.verify_mode = @insecure ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
  end
  http.open_timeout = 20
  http.read_timeout = 20
  headers = {}
  headers['User-Agent'] = "JiraScan/#{VERSION}"
  headers['Accept-Encoding'] = 'gzip,deflate'

  begin
    res = http.request(Net::HTTP::Get.new(target, headers.to_hash))
    if res.body && res['Content-Encoding'].eql?('gzip')
      sio = StringIO.new(res.body)
      gz = Zlib::GzipReader.new(sio)
      res.body = gz.read
    end
  rescue Timeout::Error, Errno::ETIMEDOUT
    @logger.error("Could not retrieve URL #{target}: Timeout")
    return nil
  rescue => e
    @logger.error("Could not retrieve URL #{target}: #{e}")
    return nil
  end
  @logger.info("Received reply (#{res.body.length} bytes)")
  res
end

.userPickerBrowser(url) ⇒ Boolean

Check if unauthenticated access to UserPickerBrowser.jspa is allowed

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 200

def self.userPickerBrowser(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/popups/UserPickerBrowser.jspa")

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.include?('<h1>User Picker</h1>')
end

.userRegistration(url) ⇒ Boolean

Check if account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 164

def self.userRegistration(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/Signup!default.jspa")

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.include?('<h1>Sign up</h1>')
end

.userServiceDeskRegistration(url) ⇒ Boolean

Check if Jira Service Desk (part of Jira Service Management) account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup support.atlassian.com/jira-service-management-cloud/docs/customer-permissions-for-your-service-project-and-jira-site/

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 183

def self.userServiceDeskRegistration(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}servicedesk/customer/user/signup")

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.include?('serviceDeskVersion') || res.body.to_s.include?('com.atlassian.servicedesk')
end

.viewUserHover(url) ⇒ Boolean

Check if unauthenticated access to ViewUserHover.jspa is allowed (CVE-2020-14181) jira.atlassian.com/browse/JRASERVER-71560

Parameters:

• URL (String)

Returns:

• (Boolean)

# File 'lib/jira_scan.rb', line 308

def self.viewUserHover(url)
  url += '/' unless url.to_s.end_with? '/'
  res = sendHttpRequest("#{url}secure/ViewUserHover.jspa")

  return false unless res
  return false unless res.code.to_i == 200

  res.body.to_s.include?('User does not exist')
end