403 error when trying to restore quality profile

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    • SonarQube version 9.8.0.63668
    • SonarQube is installed into a kubernetes cluster using version 7.0.0 of the sonarqube helm chart. We have an AWS RDS postgresql database connected to the SonarQube server.
  • what are you trying to achieve
    • I am trying to restore a quality profile using the Restore button in the UI on the /profiles page
  • what have you tried so far to achieve this
    • I tried to export a quality profile from an older SonarQube server (8.9.9.56886) and then restore this profile into my new SonarQube server (9.8.0.63668) using the UI on the /profiles page. This resulted in a 403 error being logged to my browser’s javascript console.
    • I manually created a new quality profile in my new SonarQube server (9.8.0.63668) using the UI on the /profiles page. Then I clicked the Back up button on this newly created profile to save it to file on my computer. Next I tried to restore this profile into my new SonarQube server (9.8.0.63668) using the UI on the /profiles page. This resulted in a 403 error being logged to my browser’s javascript console.
    • I tried using curl and postman to POST a quality profile backup to the /api/qualityprofiles/restore endpoint and got a 403 response. I was able to successfully execute the /api/user_tokens/search api using both curl and postman so I believe this confirms that my authentication was valid.

I’ve checked the access logs, ce logs, web logs, main process logs, and search logs for errors. None of these logs contain any entries related to my failed attempts to restore my quality profile. This leads me to believe that the 403 error is occurring before the request gets deep into SonarQube. I’m confused as to why this would be occurring only for the /api/qualityprofiles/restore endpoint and not for the many other endpoints that exist.

Any ideas for how to resolve this 403 error or how to get additional details to help in debugging?

Hi @jwenz723,

I’m looking into this issue and I’d like to ask you some questions:

  • What edition of SonarQube are you using(Community, Developer, Enterprise)? (Probably shouldn’t matter, but want to make sure that I test the same thing).
  • Does this happen for any quality profile or only for this particular one?

I am using the Community edition

The issue appears to be happening for all quality profiles that I try to restore. I tried restoring a quality profile which was exported from a v8.x instance of sonarqube community. I also tried restoring a quality profile which was created using my 9.8.0.63668 instance of sonarqube community.

You mention that the request doesn’t even appear in the access logs for SonarQube.

Is it possible that the request is blocked for some reason at the Kubernetes ingress before even reaching SonarQube?

I had previously checked our various ingress components in kubernetes to confirm that the request was not blocked. However, your comment made me realize that we are using AWS WAF on our k8s ingress. The restore quality profiles endpoint was being blocked by AWS WAF rule CrossSiteScripting_BODY inside the AWSManagedRulesCommonRuleSet ruleset. For more info, this rule description can be seen here: Baseline rule groups - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

I’m not a cross site scripting expert, but it seems like this could possibly be considered as a bug in Sonarqube for not properly performing the API call? However, from my point of view no additional help is required. Thanks for helping me to realize this!

It’s hard to say if Sonarqube is not performing the requests properly without more details.

After some searching, I’ve found that AWS WAF can in some cases block XML file uploads, but I’m not sure we can do much on our side other than changing the backup/restore file format.