Add an option to define a domain name allow list for the Jira connect integration

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Due to security reasons we do not like any Jira domain being able to connect and therefore I made a little patch to restrict the domains with an allowlist. e.g. within http://127.0.0.1:3000/admin/application_settings/network

WDYT?

patch with allow list

diff --git a/app/controllers/jira_connect/events_controller.rb b/app/controllers/jira_connect/events_controller.rb
index daad2f5e2ab8..f9471d0d3e26 100644
--- a/app/controllers/jira_connect/events_controller.rb
+++ b/app/controllers/jira_connect/events_controller.rb
@@ -6,7 +6,22 @@ class JiraConnect::EventsController < JiraConnect::ApplicationController
   skip_before_action :verify_atlassian_jwt!
   before_action :verify_asymmetric_atlassian_jwt!
 
+  def check_valid_domain(base_url)
+    require 'uri'
+    domain = URI(base_url).host
+    return false unless domain.to_s.end_with?("atlassian.net") # maybe not needed and just part of the defined allow list
+
+    ## some logic here to get the settings for the allow list
+    if (...)
+      true
+
+    false
+  end
+
   def installed
+    head :unprocessable_entity unless check_valid_domain(params["baseUrl"])
     success = current_jira_installation ? update_installation : create_installation
 
     if success
-- 
2.43.0