Uploaded image for project: 'SR for Jira - Development'
  1. SR for Jira - Development
  2. SRJIRA-5117

"/listeners/{scriptName}" endpoint is allowing to add "projects" parameter of wrong type via POST REST call

    Details

    • Type: Bug
    • Status: Triage
    • Priority: Low
    • Resolution: Unresolved
    • Affects Version/s: 6.20.0
    • Fix Version/s: None
    • Component/s: Listeners
    • Labels:
      None
    • Critical Points:
      0

      Description

      The endpoint 'http://localhost:8080/jira/rest/scriptrunner-jira/latest/listeners/com.onresolve.scriptrunner.canned.jira.workflow.listeners.CustomListener' is allowing to create listener with wrong value in "projects" parameter

      Steps to reproduce:

      1 - with the local debug instance running, run the following cURL command in terminal:

      ^curl -u admin:admin 'http://localhost:8080/jira/rest/scriptrunner-jira/latest/listeners/com.onresolve.scriptrunner.canned.jira.workflow.listeners.CustomListener' ^

        ^-H 'Content-Type: application/json' ^

        ^--data-raw '{"FIELD_LISTENER_NOTES":"customListener","projects":[10003],"events":[""],"FIELD_SCRIPT_FILE_OR_SCRIPT":{"script":"log.warn \"test\"","scriptPath":null},"canned-script":"com.onresolve.scriptrunner.canned.jira.workflow.listeners.CustomListener"}' ^

        --compressed

      2 - now go to Script Listeners and the listener was created even with the wrong value in the "projects" parameter

      3 - Also now the actions to add / edit / delete on listeners stoped working and the following error is displayed:

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            bcarlosdacunha Bruno Carlos da Cunha
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: