Class: JiraScan
- Inherits:
-
Object
- Object
- JiraScan
- Defined in:
- lib/jira_scan.rb
Constant Summary collapse
- VERSION =
'0.0.6'.freeze
Class Method Summary collapse
-
.detectJiraDashboard(url) ⇒ Boolean
Check if URL is running Jira using Dashboard page.
-
.detectJiraLogin(url) ⇒ Boolean
Check if URL is running Jira using Login page.
-
.devMode(url) ⇒ Boolean
Check if dev mode is enabled.
-
.getDashboards(url) ⇒ Array
Retrieve list of dashboards.
-
.getFieldNamesQueryComponentDefault(url) ⇒ Array
Retrieve list of field names from QueryComponent!Default.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536 jira.atlassian.com/browse/JRACLOUD-75661.
-
.getFieldNamesQueryComponentJql(url) ⇒ Array
Retrieve list of field names from QueryComponent!Jql.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536.
-
.getGadgets(url) ⇒ Array
Retrieve list of installed gadgets jira.atlassian.com/browse/JRASERVER-72613.
-
.getLinkedApps(url) ⇒ Array
Retrieve list of linked applications jira.atlassian.com/browse/JRASERVER-64963 jira.atlassian.com/browse/JRACLOUD-64963.
-
.getPopularFilters(url) ⇒ Array
Retrieve list of popular filters jira.atlassian.com/browse/JRASERVER-23255.
-
.getProjectCategories(url) ⇒ Array
Retrieve list of project categories.
-
.getProjects(url) ⇒ Array
Retrieve list of projects.
-
.getResolutions(url) ⇒ Array
Retrieve list of resolutions.
-
.getServerInfo(url) ⇒ Array
Retrieve Jira software information.
-
.getUsersFromUserPickerBrowser(url) ⇒ Array
Retrieve list of users from UserPickerBrowser.
-
.getVersionFromDashboard(url) ⇒ String
Get Jira version from Dashboard page.
-
.getVersionFromLogin(url) ⇒ String
Get Jira version from Login page.
- .insecure ⇒ Object
- .insecure=(insecure) ⇒ Object
- .logger ⇒ Object
- .logger=(logger) ⇒ Object
-
.metaInf(url) ⇒ Boolean
Check if META-INF contents are accessible (CVE-2019-8442) jira.atlassian.com/browse/JRASERVER-69241.
-
.restGroupUserPicker(url) ⇒ Boolean
Check if unauthenticated access to REST GroupUserPicker is allowed (CVE-2019-8449) jira.atlassian.com/browse/JRASERVER-69796.
-
.restUserPicker(url) ⇒ Boolean
Check if unauthenticated access to REST UserPicker is allowed (CVE-2019-3403) jira.atlassian.com/browse/JRASERVER-69242.
-
.sendHttpRequest(url) ⇒ Net::HTTPResponse
Fetch URL.
-
.userPickerBrowser(url) ⇒ Boolean
Check if unauthenticated access to UserPickerBrowser.jspa is allowed.
-
.userRegistration(url) ⇒ Boolean
Check if account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup.
-
.userServiceDeskRegistration(url) ⇒ Boolean
Check if Jira Service Desk (part of Jira Service Management) account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup support.atlassian.com/jira-service-management-cloud/docs/customer-permissions-for-your-service-project-and-jira-site/.
-
.viewUserHover(url) ⇒ Boolean
Check if unauthenticated access to ViewUserHover.jspa is allowed (CVE-2020-14181) jira.atlassian.com/browse/JRASERVER-71560.
Class Method Details
.detectJiraDashboard(url) ⇒ Boolean
Check if URL is running Jira using Dashboard page
57 58 59 60 61 62 63 64 65 |
# File 'lib/jira_scan.rb', line 57 def self.detectJiraDashboard(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/Dashboard.jspa") return false unless res return false unless res.code.to_i == 200 res.body.to_s.include?('JIRA') end |
.detectJiraLogin(url) ⇒ Boolean
Check if URL is running Jira using Login page
40 41 42 43 44 45 46 47 48 |
# File 'lib/jira_scan.rb', line 40 def self.detectJiraLogin(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}login.jsp") return false unless res return false unless res.code.to_i == 200 res.body.to_s.include?('JIRA') end |
.devMode(url) ⇒ Boolean
Check if dev mode is enabled
146 147 148 149 150 151 152 153 154 |
# File 'lib/jira_scan.rb', line 146 def self.devMode(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest(url) return false unless res return false unless res.code.to_i == 200 res.body.to_s.include?('<meta name="ajs-dev-mode" content="true">') end |
.getDashboards(url) ⇒ Array
Retrieve list of dashboards
367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 |
# File 'lib/jira_scan.rb', line 367 def self.getDashboards(url) url += '/' unless url.to_s.end_with? '/' max = 1_000 res = sendHttpRequest("#{url}rest/api/2/dashboard?maxResults=#{max}") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('{"startAt"') return [] unless res.body.to_s.include?('id') return [] unless res.body.to_s.include?('name') JSON.parse(res.body.to_s, symbolize_names: true)[:dashboards].map { |d| [d[:id], d[:name]] } rescue [] end |
.getFieldNamesQueryComponentDefault(url) ⇒ Array
Retrieve list of field names from QueryComponent!Default.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536 jira.atlassian.com/browse/JRACLOUD-75661
487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 |
# File 'lib/jira_scan.rb', line 487 def self.getFieldNamesQueryComponentDefault(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/QueryComponent!Default.jspa") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('{"searchers"') searchers = JSON.parse(res.body.to_s)['searchers'] return [] if searchers.empty? groups = searchers['groups'] return [] if groups.empty? field_names = [] groups.each do |g| g['searchers'].each do |s| field_names << s end end JSON.parse(field_names.to_json, symbolize_names: true).map { |f| [f[:name], f[:id], f[:key], f[:isShown].to_s, f[:lastViewed]] } rescue [] end |
.getFieldNamesQueryComponentJql(url) ⇒ Array
Retrieve list of field names from QueryComponent!Jql.jspa (CVE-2020-14179) jira.atlassian.com/browse/JRASERVER-71536
521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 |
# File 'lib/jira_scan.rb', line 521 def self.getFieldNamesQueryComponentJql(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/QueryComponent!Jql.jspa?jql=") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('{"searchers"') searchers = JSON.parse(res.body.to_s)['searchers'] return [] if searchers.empty? groups = searchers['groups'] return [] if groups.empty? field_names = [] groups.each do |g| g['searchers'].each do |s| field_names << s end end JSON.parse(field_names.to_json, symbolize_names: true).map { |f| [f[:name], f[:id], f[:key], f[:isShown].to_s, f[:lastViewed]] } rescue [] end |
.getGadgets(url) ⇒ Array
Retrieve list of installed gadgets jira.atlassian.com/browse/JRASERVER-72613
284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 |
# File 'lib/jira_scan.rb', line 284 def self.getGadgets(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}rest/config/1.0/directory.json") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('{"categories"') gadgets = JSON.parse(res.body.to_s)['gadgets'] return [] if gadgets.empty? JSON.parse(gadgets.to_json, symbolize_names: true).map { |g| [g[:title], g[:authorName], g[:authorEmail], g[:description]] } rescue [] end |
.getLinkedApps(url) ⇒ Array
Retrieve list of linked applications jira.atlassian.com/browse/JRASERVER-64963 jira.atlassian.com/browse/JRACLOUD-64963
462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 |
# File 'lib/jira_scan.rb', line 462 def self.getLinkedApps(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}rest/menu/latest/admin") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('[{"key"') return [] unless res.body.to_s.include?('link') return [] unless res.body.to_s.include?('label') return [] unless res.body.to_s.include?('applicationType') JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:link], r[:label], r[:applicationType]] } rescue [] end |
.getPopularFilters(url) ⇒ Array
Retrieve list of popular filters jira.atlassian.com/browse/JRASERVER-23255
344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 |
# File 'lib/jira_scan.rb', line 344 def self.getPopularFilters(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/ManageFilters.jspa?filter=popular&filterView=popular") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.include?('<h1>Manage Filters</h1>') return res.body.to_s.scan(%r{requestId=\d+">(.+?)</a>}) if res.body.to_s =~ /requestId=\d/ return res.body.to_s.scan(%r{filter=\d+">(.+?)</a>}) if res.body.to_s =~ /filter=\d/ [] rescue [] end |
.getProjectCategories(url) ⇒ Array
Retrieve list of project categories
437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 |
# File 'lib/jira_scan.rb', line 437 def self.getProjectCategories(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}rest/api/2/projectCategory") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('[{"self"') return [] unless res.body.to_s.include?('id') return [] unless res.body.to_s.include?('name') return [] unless res.body.to_s.include?('description') JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:id], r[:name], r[:description]] } rescue [] end |
.getProjects(url) ⇒ Array
Retrieve list of projects
413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 |
# File 'lib/jira_scan.rb', line 413 def self.getProjects(url) url += '/' unless url.to_s.end_with? '/' max = 1_000 res = sendHttpRequest("#{url}rest/api/2/project?maxResults=#{max}") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('[{"expand"') return [] unless res.body.to_s.include?('id') return [] unless res.body.to_s.include?('key') return [] unless res.body.to_s.include?('name') JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:id], r[:key], r[:name]] } rescue [] end |
.getResolutions(url) ⇒ Array
Retrieve list of resolutions
390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 |
# File 'lib/jira_scan.rb', line 390 def self.getResolutions(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}rest/api/2/resolution") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('[{"self"') return [] unless res.body.to_s.include?('id') return [] unless res.body.to_s.include?('name') return [] unless res.body.to_s.include?('description') JSON.parse(res.body.to_s, symbolize_names: true).map { |r| [r[:id], r[:name], r[:description]] } rescue [] end |
.getServerInfo(url) ⇒ Array
Retrieve Jira software information
126 127 128 129 130 131 132 133 134 135 136 137 |
# File 'lib/jira_scan.rb', line 126 def self.getServerInfo(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}rest/api/latest/serverInfo") return [] unless res return [] unless res.code.to_i == 200 return [] unless res.body.to_s.start_with?('{"baseUrl"') JSON.parse(res.body.to_s, symbolize_names: true) rescue [] end |
.getUsersFromUserPickerBrowser(url) ⇒ Array
Retrieve list of users from UserPickerBrowser
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 |
# File 'lib/jira_scan.rb', line 217 def self.getUsersFromUserPickerBrowser(url) url += '/' unless url.to_s.end_with? '/' max = 1_000 res = sendHttpRequest("#{url}secure/popups/UserPickerBrowser.jspa?max=#{max}") return [] unless res && res.code.to_i == 200 && res.body.to_s.include?('<h1>User Picker</h1>') users = [] if res.body.to_s.include? 'cell-type-email' res.body.to_s.scan(%r{<td data-cell-type="name" class="user-name">(.*?)</td>\s+<td data-cell-type="fullname" >(.*?)</td>\s+<td data-cell-type="email" class="cell-type-email">(.*?)</td>}m).each do |u| users << u end else res.body.to_s.scan(%r{<td data-cell-type="name" class="user-name">(.*?)</td>\s+<td data-cell-type="fullname" >(.*?)</td>}m).each do |u| users << u end end users rescue [] end |
.getVersionFromDashboard(url) ⇒ String
Get Jira version from Dashboard page
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
# File 'lib/jira_scan.rb', line 74 def self.getVersionFromDashboard(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/Dashboard.jspa") return unless res return unless res.code.to_i == 200 version = res.body.to_s.scan(%r{<meta name="ajs-version-number" content="([\d\.]+)">}).flatten.first build = res.body.to_s.scan(%r{<meta name="ajs-build-number" content="(\d+)">}).flatten.first unless version && build return unless res.body.to_s =~ /Version: ([\d\.]+)-#(\d+)/ version = Regexp.last_match(1) build = Regexp.last_match(2) end "#{version}-##{build}" end |
.getVersionFromLogin(url) ⇒ String
Get Jira version from Login page
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
# File 'lib/jira_scan.rb', line 100 def self.getVersionFromLogin(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}login.jsp") return unless res return unless res.code.to_i == 200 version = res.body.to_s.scan(%r{<meta name="ajs-version-number" content="([\d\.]+)">}).flatten.first build = res.body.to_s.scan(%r{<meta name="ajs-build-number" content="(\d+)">}).flatten.first unless version && build return unless res.body.to_s =~ /Version: ([\d\.]+)-#(\d+)/ version = Regexp.last_match(1) build = Regexp.last_match(2) end "#{version}-##{build}" end |
.insecure ⇒ Object
25 26 27 |
# File 'lib/jira_scan.rb', line 25 def self.insecure @insecure ||= false end |
.insecure=(insecure) ⇒ Object
29 30 31 |
# File 'lib/jira_scan.rb', line 29 def self.insecure=(insecure) @insecure = insecure end |
.logger ⇒ Object
17 18 19 |
# File 'lib/jira_scan.rb', line 17 def self.logger @logger end |
.logger=(logger) ⇒ Object
21 22 23 |
# File 'lib/jira_scan.rb', line 21 def self.logger=(logger) @logger = logger end |
.metaInf(url) ⇒ Boolean
Check if META-INF contents are accessible (CVE-2019-8442) jira.atlassian.com/browse/JRASERVER-69241
326 327 328 329 330 331 332 333 334 |
# File 'lib/jira_scan.rb', line 326 def self.(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}s/#{rand(36**6).to_s(36)}/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml") return false unless res return false unless res.code.to_i == 200 res.body.to_s.start_with?('<project') end |
.restGroupUserPicker(url) ⇒ Boolean
Check if unauthenticated access to REST GroupUserPicker is allowed (CVE-2019-8449) jira.atlassian.com/browse/JRASERVER-69796
266 267 268 269 270 271 272 273 274 |
# File 'lib/jira_scan.rb', line 266 def self.restGroupUserPicker(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}rest/api/2/groupuserpicker") return false unless res return false unless res.code.to_i == 400 res.body.to_s.include?('The username query parameter was not provided') end |
.restUserPicker(url) ⇒ Boolean
Check if unauthenticated access to REST UserPicker is allowed (CVE-2019-3403) jira.atlassian.com/browse/JRASERVER-69242
248 249 250 251 252 253 254 255 256 |
# File 'lib/jira_scan.rb', line 248 def self.restUserPicker(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}rest/api/2/user/picker") return false unless res return false unless res.code.to_i == 400 res.body.to_s.include?('The username query parameter was not provided') end |
.sendHttpRequest(url) ⇒ Net::HTTPResponse
Fetch URL
554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 |
# File 'lib/jira_scan.rb', line 554 def self.sendHttpRequest(url) target = URI.parse(url) @logger.info("Fetching #{target}") http = Net::HTTP.new(target.host, target.port) if target.scheme.to_s.eql?('https') http.use_ssl = true http.verify_mode = @insecure ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER end http.open_timeout = 20 http.read_timeout = 20 headers = {} headers['User-Agent'] = "JiraScan/#{VERSION}" headers['Accept-Encoding'] = 'gzip,deflate' begin res = http.request(Net::HTTP::Get.new(target, headers.to_hash)) if res.body && res['Content-Encoding'].eql?('gzip') sio = StringIO.new(res.body) gz = Zlib::GzipReader.new(sio) res.body = gz.read end rescue Timeout::Error, Errno::ETIMEDOUT @logger.error("Could not retrieve URL #{target}: Timeout") return nil rescue => e @logger.error("Could not retrieve URL #{target}: #{e}") return nil end @logger.info("Received reply (#{res.body.length} bytes)") res end |
.userPickerBrowser(url) ⇒ Boolean
Check if unauthenticated access to UserPickerBrowser.jspa is allowed
200 201 202 203 204 205 206 207 208 |
# File 'lib/jira_scan.rb', line 200 def self.userPickerBrowser(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/popups/UserPickerBrowser.jspa") return false unless res return false unless res.code.to_i == 200 res.body.to_s.include?('<h1>User Picker</h1>') end |
.userRegistration(url) ⇒ Boolean
Check if account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup
164 165 166 167 168 169 170 171 172 |
# File 'lib/jira_scan.rb', line 164 def self.userRegistration(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/Signup!default.jspa") return false unless res return false unless res.code.to_i == 200 res.body.to_s.include?('<h1>Sign up</h1>') end |
.userServiceDeskRegistration(url) ⇒ Boolean
Check if Jira Service Desk (part of Jira Service Management) account registration is enabled docs.atlassian.com/jira/jsd-docs-045/Configuring+public+signup support.atlassian.com/jira-service-management-cloud/docs/customer-permissions-for-your-service-project-and-jira-site/
183 184 185 186 187 188 189 190 191 |
# File 'lib/jira_scan.rb', line 183 def self.userServiceDeskRegistration(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}servicedesk/customer/user/signup") return false unless res return false unless res.code.to_i == 200 res.body.to_s.include?('serviceDeskVersion') || res.body.to_s.include?('com.atlassian.servicedesk') end |
.viewUserHover(url) ⇒ Boolean
Check if unauthenticated access to ViewUserHover.jspa is allowed (CVE-2020-14181) jira.atlassian.com/browse/JRASERVER-71560
308 309 310 311 312 313 314 315 316 |
# File 'lib/jira_scan.rb', line 308 def self.viewUserHover(url) url += '/' unless url.to_s.end_with? '/' res = sendHttpRequest("#{url}secure/ViewUserHover.jspa") return false unless res return false unless res.code.to_i == 200 res.body.to_s.include?('User does not exist') end |