statTypes REST API exposes all statistics field names anonymously

2014-06-09T12:56:19
ID ATLASSIAN:JRA-38667
Type atlassian
Reporter pwyatt
Modified 2017-02-20T02:56:30

Description

On an instance with no anonymous access enabled, /rest/gadget/1.0/statTypes returns a list of all stattable custom fields (names and IDs) in the instance in response to anonymous requests.

This is a nasty exposure of data - admins have no way of knowing that private data shouldn't be put into custom field names. For example, on our own private JIRA instance for tracking QA recruitment, the field names give a fair bit of information away about the intent of the questions and the attributes we're judging candidates by.

I know we don't have field-level permissions, but there's got to be some existing permission we can sensibly enforce on this REST API to limit the exposure.

Discovered by [~hnguyen@atlassian.com] .