From f4a96d643b63f64b86b216f8b350b79b46e7dc5c Mon Sep 17 00:00:00 2001 From: Paul Hutchinson Date: Wed, 19 Nov 2025 11:37:02 +0000 Subject: [PATCH 1/2] [feature] SC-166737/improve app proxy security by restricting where token replacements can go --- manifest.json | 41 ++++++++++++++++++++++++++++++++++------- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/manifest.json b/manifest.json index 78b8c18..9c3a2e8 100644 --- a/manifest.json +++ b/manifest.json @@ -145,20 +145,47 @@ }, "proxy": { "whitelist": [ - { - "url": "https://(.*).atlassian.net/.*", - "methods": ["GET", "POST", "PUT", "DELETE"], - "timeout": 50 - }, { "url": "https://auth.atlassian.com/.*", "methods": ["GET", "POST"], - "timeout": 50 + "timeout": 50, + "settingsInjection": { + "client_id": { + "body": ["client_id"] + }, + "client_secret": { + "body": ["client_secret"] + }, + "api_token": { + "header": ["Authorization"] + } + } + }, + { + "url": "https://(.*).atlassian.net/.*", + "methods": ["GET", "POST", "PUT", "DELETE"], + "timeout": 50, + "settingsInjection": { + "api_key": { + "header": ["Authorization"] + }, + "username": { + "header": ["Authorization"] + } + } }, { "url": "https://api.atlassian.com/.*", "methods": ["GET", "POST", "DELETE"], - "timeout": 50 + "timeout": 50, + "settingsInjection": { + "api_key": { + "header": ["Authorization"] + }, + "username": { + "header": ["Authorization"] + } + } } ] } From 40a09b75642a847fa36c140fd534a7d3acc529b6 Mon Sep 17 00:00:00 2001 From: Paul <1740195+HappyPaul55@users.noreply.github.com> Date: Wed, 19 Nov 2025 12:08:19 +0000 Subject: [PATCH 2/2] Update manifest.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.json b/manifest.json index 9c3a2e8..cc9fd51 100644 --- a/manifest.json +++ b/manifest.json @@ -156,7 +156,7 @@ "client_secret": { "body": ["client_secret"] }, - "api_token": { + "api_key": { "header": ["Authorization"] } }