jira_scan 0.0.2

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    YmVmMjdhMTg1NThlZmMzNDBjNzE3Y2Q0MjY3NzQ1MTY5OTRlMjc5Yg==
+  data.tar.gz: !binary |-
+    OTk3Mjc4M2FiNDU0MzdlYjU0ZjhiYTA2MzdlNWRjZjk2YWQ5NzQxOA==
+SHA512:
+  metadata.gz: !binary |-
+    ZDk2MTdhZjM5ZWI3Y2NjYWIwNzI0MzhiZjU1NzNiNDg3NDU2NjViODJlZjQ2
+    ZDg4YTg3NGQ1YTg4NGMwZTMyMDNlNjVkNzhhOGMxZTEzMGY5ODdiNDgzMzkw
+    ZGYwM2E1MDJkZjkxZDY2NzdjNGU3NTMzZDEzNmY0Zjk2MzQ1ZDI=
+  data.tar.gz: !binary |-
+    NzA2ODczZTI3YzAxYWFhYmEyMWMyMjJjYjJhYzIyN2I0ZDkzYjllZThiMTZi
+    MTNhMWNjYmZkZThhZTNkNThmY2UzOWJjMTQ5YTk2M2NjZWY2ZTRmNDQzZjAy
+    Y2RiMzZhMmQ1YzUzNDg0ZDIxNDA3YjEwOWNkZmQzMjBmMzgzYmE=

data/bin/jira-scan

@@ -0,0 +1,164 @@
+#!/usr/bin/env ruby
+#
+# This file is part of JiraScan
+# https://github.com/bcoles/jira_scan
+#
+
+require 'jira_scan'
+require 'optparse'
+require 'terminal-table'
+require 'resolv'
+
+def banner
+  puts "
+       _ _            _____                 
+      | (_)          / ____|                
+      | |_ _ __ __ _| (___   ___ __ _ _ __  
+  _   | | | '__/ _` |\\___ \\ / __/ _` | '_ \\ 
+ | |__| | | | | (_| |____) | (_| (_| | | | |
+  \\____/|_|_|  \\__,_|_____/ \\___\\__,_|_| |_|
+                               version 0.0.2"
+  puts
+  puts '-' * 60
+end
+
+banner
+options = {}
+opts = OptionParser.new do |o|
+  o.banner = 'Usage: jira-scan [options]'
+
+  o.on('-u URL', '--url URL', 'Jira URL to scan') do |v|
+    unless v.match(%r{\Ahttps?://})
+      puts "- Invalid URL: #{v}"
+      exit(1)
+    end
+    options[:url] = v
+  end
+
+  o.on('-s', '--skip', 'Skip check for Jira') do
+    options[:skip] = true
+  end
+
+  o.on('-v', '--verbose', 'Enable verbose output') do
+    options[:verbose] = true
+  end
+
+  o.on('-h', '--help', 'Show this help') do
+    puts opts
+    exit
+  end
+end
+
+opts.parse!
+
+$VERBOSE = true unless options[:verbose].nil?
+@check = true unless options[:skip]
+
+if options[:url].nil?
+ puts opts
+ exit(1)
+end
+
+def scan(url)
+  puts "Scan started at #{Time.now.getutc}"
+  puts "URL: #{url}"
+
+  # parse URL
+  target = nil
+  begin
+    target = URI::parse(url.split('?').first)
+  rescue
+    puts "- Could not parse target URL: #{url}"
+  end
+  exit(1) if target.nil?
+
+  # resolve IP address
+  begin
+    ip = Resolv.getaddress(target.host).to_s
+    puts "IP: #{ip}" unless ip.nil?
+  rescue
+    puts "- Could not resolve hostname #{target.host}"
+  end
+
+  puts "Port: #{target.port}"
+  puts '-' * 60
+
+  # Check if the URL is Jira
+  if @check
+    unless JiraScan::isJira(url)
+      puts '- Jira not found'
+      exit(1)
+    end
+    puts '+ Found Jira'
+  end
+
+  # Get Jira version
+  version = JiraScan::getVersion(url)
+  puts "+ Version: #{version}" if version
+
+  # Dev mode enabled
+  dev_mode = JiraScan::devMode(url)
+  puts '+ Dev mode is enabled' if dev_mode
+
+  # User registration enabled
+  register = JiraScan::userRegistration(url)
+  puts '+ User registration is enabled' if register
+
+  # Check if User Picker Browser is accessible
+  user_picker = JiraScan::userPickerBrowser(url)
+  if user_picker
+    puts '+ User Picker Browser is available'
+    # Retrieve list of first 1,000 users 
+    users = JiraScan::getUsersFromUserPicker(url)
+    unless users.empty?
+      puts "+ Found users (#{users.length}):"
+      table = Terminal::Table.new :headings => ['Username', 'Full Name', 'Email'], :rows => users
+      puts table
+    end
+  end
+
+  # Check if REST User Picker is accessible
+  rest_user_picker = JiraScan::restUserPicker(url)
+  puts "+ REST UserPicker is available" if rest_user_picker
+
+  # Check if REST Group User Picker is accessible
+  rest_group_user_picker = JiraScan::restGroupUserPicker(url)
+  puts "+ REST GroupUserPicker is available" if rest_group_user_picker
+
+  # Check if ViewUserHover.jspa is accessible
+  view_user_hover = JiraScan::viewUserHover(url)
+  puts "+ ViewUserHover.jspa is available" if view_user_hover
+
+  # Check if META-INF contents are accessible
+  meta_inf = JiraScan::metaInf(url)
+  puts '+ META-INF directory contents are accessible' if meta_inf
+
+  # Retrieve list of dashboards
+  dashboards = JiraScan::getDashboards(url)
+  unless dashboards.empty?
+    puts "+ Found dashboards (#{dashboards.length}):"
+    table = Terminal::Table.new :headings => ['ID', 'Name'], :rows => dashboards
+    puts table
+  end
+
+  # Retrieve list of popular filters
+  filters = JiraScan::getPopularFilters(url)
+  unless filters.empty?
+    puts "+ Found popular filters (#{filters.length}):"
+    table = Terminal::Table.new :headings => ['Filter Name'], :rows => filters
+    puts table
+  end
+
+  # Retrieve list of field names
+  field_names = JiraScan::getFieldNames(url)
+  unless field_names.empty?
+    puts "+ Found field names (#{field_names.length}):"
+    table = Terminal::Table.new :headings => ['Name', 'ID', 'Key', 'IsShown', 'Last Viewed'], :rows => field_names
+    puts table
+  end
+
+  puts "Scan finished at #{Time.now.getutc}"
+  puts '-' * 60
+end
+
+scan(options[:url])

data/lib/jira_scan.rb

@@ -0,0 +1,326 @@
+#
+# This file is part of JiraScan
+# https://github.com/bcoles/jira_scan
+#
+
+require 'uri'
+require 'cgi'
+require 'json'
+require 'net/http'
+require 'openssl'
+
+class JiraScan
+  VERSION = '0.0.2'.freeze
+
+  #
+  # Check if Jira
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.isJira(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}secure/Dashboard.jspa")
+
+    return false unless res
+    return false unless res.code.to_i == 200
+
+    res.body.to_s.include?('JIRA')
+  end
+
+  #
+  # Get Jira version
+  #
+  # @param [String] URL
+  #
+  # @return [String] Jira version
+  #
+  def self.getVersion(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}secure/Dashboard.jspa")
+
+    return unless res
+    return unless res.code.to_i == 200
+
+    version = res.body.to_s.scan(%r{<meta name="ajs-version-number" content="([\d\.]+)">}).flatten.first
+    build = res.body.to_s.scan(%r{<meta name="ajs-build-number" content="(\d+)">}).flatten.first
+
+    unless version && build
+      if res.body.to_s =~ /Version: ([\d\.]+)-#(\d+)/
+        version = $1
+        build = $2
+      else
+        return
+      end
+    end
+
+    "#{version}-##{build}"
+  end
+
+  #
+  # Check if dev mode is enabled
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.devMode(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest(url)
+
+    return false unless res
+    return false unless res.code.to_i == 200
+
+    res.body.to_s.include?('<meta name="ajs-dev-mode" content="true">')
+  end
+
+  #
+  # Check if account registration is enabled
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.userRegistration(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}secure/Signup!default.jspa")
+
+    return false unless res
+    return false unless res.code.to_i == 200
+
+    res.body.to_s.include?('<h1>Sign up</h1>')
+  end
+
+  #
+  # Check if unauthenticated access to UserPickerBrowser.jspa is allowed
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.userPickerBrowser(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}secure/popups/UserPickerBrowser.jspa")
+
+    return false unless res
+    return false unless res.code.to_i == 200
+
+    res.body.to_s.include?('<h1>User Picker</h1>')
+  end
+
+  #
+  # Retrieve list of users from UserPickerBrowser
+  #
+  # @param [String] URL
+  #
+  # @return [Array] list of first 1,000 users
+  #
+  def self.getUsersFromUserPickerBrowser(url)
+    url += '/' unless url.to_s.end_with? '/'
+    max = 1_000
+    res = sendHttpRequest("#{url}secure/popups/UserPickerBrowser.jspa?max=#{max}")
+
+    return [] unless res && res.code.to_i == 200 && res.body.to_s.include?('<h1>User Picker</h1>')
+
+    users = []
+    if res.body.to_s.include? 'cell-type-email'
+      res.body.to_s.scan(%r{<td data-cell-type="name" class="user-name">(.*?)</td>\s+<td data-cell-type="fullname" >(.*?)</td>\s+<td data-cell-type="email" class="cell-type-email">(.*?)</td>}m).each do |u|
+        users << u
+      end
+    else
+      res.body.to_s.scan(%r{<td data-cell-type="name" class="user-name">(.*?)</td>\s+<td data-cell-type="fullname" >(.*?)</td>}m).each do |u|
+        users << u
+      end
+    end
+
+    users
+  rescue
+    []
+  end
+
+  #
+  # Check if unauthenticated access to REST UserPicker is allowed (CVE-2019-3403)
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.restUserPicker(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}rest/api/latest/user/picker")
+
+    return false unless res
+    return false unless res.code.to_i == 400
+
+    res.body.to_s.include?('The username query parameter was not provided')
+  end
+
+  #
+  # Check if unauthenticated access to REST GroupUserPicker is allowed (CVE-2019-8449)
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.restGroupUserPicker(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}rest/api/latest/groupuserpicker")
+
+    return false unless res
+    return false unless res.code.to_i == 400
+
+    res.body.to_s.include?('The username query parameter was not provided')
+  end
+
+  #
+  # Check if unauthenticated access to ViewUserHover.jspa is allowed (CVE-2020-14181)
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.viewUserHover(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}secure/ViewUserHover.jspa")
+
+    return false unless res
+    return false unless res.code.to_i == 200
+
+    res.body.to_s.include?('User does not exist')
+  end
+
+  #
+  # Check if META-INF contents are accessible (CVE-2019-8442)
+  #
+  # @param [String] URL
+  #
+  # @return [Boolean]
+  #
+  def self.metaInf(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}s/#{rand(36**6).to_s(36)}/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml")
+
+    return false unless res
+    return false unless res.code.to_i == 200
+
+    res.body.to_s.start_with?('<project')
+  end
+
+  #
+  # Retrieve list of popular filters
+  #
+  # @param [String] URL
+  #
+  # @return [Array] list of popular filters
+  #
+  def self.getPopularFilters(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}secure/ManageFilters.jspa?filter=popular&filterView=popular")
+
+    return [] unless res
+    return [] unless res.code.to_i == 200
+    return [] unless res.body.to_s.include?('<h1>Manage Filters</h1>')
+
+    return res.body.to_s.scan(%r{requestId=\d+">(.+?)</a>}) if res.body.to_s =~ /requestId=\d/
+    return res.body.to_s.scan(%r{filter=\d+">(.+?)</a>}) if res.body.to_s =~ /filter=\d/
+
+    []
+  rescue
+    []
+  end
+
+  #
+  # Retrieve list of dashboards
+  #
+  # @param [String] URL
+  #
+  # @return [Array] list of dashboards
+  #
+  def self.getDashboards(url)
+    url += '/' unless url.to_s.end_with? '/'
+    max = 1_000
+    res = sendHttpRequest("#{url}rest/api/2/dashboard?maxResults=#{max}")
+
+    return [] unless res
+    return [] unless res.code.to_i == 200
+    return [] unless res.body.to_s.start_with?('{"startAt"')
+
+    JSON.parse(res.body.to_s, symbolize_names: true)[:dashboards].map {|d| [d[:id], d[:name]] }
+  rescue
+    []
+  end
+
+  #
+  # Retrieve list of field names from QueryComponent!Default.jspa (CVE-2020-14179)
+  #
+  # @param [String] URL
+  #
+  # @return [Array] list of field names
+  #
+  def self.getFieldNames(url)
+    url += '/' unless url.to_s.end_with? '/'
+    res = sendHttpRequest("#{url}secure/QueryComponent!Default.jspa")
+
+    return [] unless res
+    return [] unless res.code.to_i == 200
+    return [] unless res.body.to_s.start_with?('{"searchers"')
+
+    searchers = JSON.parse(res.body.to_s)["searchers"]
+    return [] if searchers.empty?
+
+    groups = searchers['groups']
+    return [] if groups.empty?
+
+    field_names = []
+    groups.each do |g|
+      g['searchers'].each do |s|
+        field_names << s
+      end
+    end
+
+    JSON.parse(field_names.to_json, symbolize_names: true).map {|f| [f[:name], f[:id], f[:key], f[:isShown].to_s, f[:lastViewed]] }
+  rescue
+    []
+  end
+
+  private
+
+  #
+  # Fetch URL
+  #
+  # @param [String] URL
+  #
+  # @return [Net::HTTPResponse] HTTP response
+  #
+  def self.sendHttpRequest(url)
+    target = URI.parse(url)
+    puts "* Fetching #{target}" if $VERBOSE
+    http = Net::HTTP.new(target.host, target.port)
+    if target.scheme.to_s.eql?('https')
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      # http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    end
+    http.open_timeout = 20
+    http.read_timeout = 20
+    headers = {}
+    headers['User-Agent'] = "JiraScan/#{VERSION}"
+    headers['Accept-Encoding'] = 'gzip,deflate'
+
+    begin
+      res = http.request(Net::HTTP::Get.new(target, headers.to_hash))
+      if res.body && res['Content-Encoding'].eql?('gzip')
+        sio = StringIO.new(res.body)
+        gz = Zlib::GzipReader.new(sio)
+        res.body = gz.read
+      end
+    rescue Timeout::Error, Errno::ETIMEDOUT
+      puts "- Error: Timeout retrieving #{target}" if $VERBOSE
+    rescue => e
+      puts "- Error: Could not retrieve URL #{target}\n#{e}" if $VERBOSE
+    end
+    puts "+ Received reply (#{res.body.length} bytes)" if $VERBOSE
+    res
+  end
+end

metadata

@@ -0,0 +1,47 @@
+--- !ruby/object:Gem::Specification
+name: jira_scan
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Brendan Coles
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-03-23 00:00:00.000000000 Z
+dependencies: []
+description: A simple remote scanner for Atlassian Jira
+email: bcoles@gmail.com
+executables:
+- jira-scan
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/jira-scan
+- lib/jira_scan.rb
+homepage: https://github.com/bcoles/jira_scan
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 2.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Jira scanner
+test_files: []
+has_rdoc: