5.6.x

5.6.16

  • Released 18 Feb 2020

Updates

Critical Security Vulnerabilities Fixed

This release fixes critical security vulnerabilities around the Space Admin Built-In scripts for ScriptRunner for Confluence. See SRCONF-1097 for details about the vulnerability.

Temporary Workaround

If you are unable to upgrade immediately, blocking HTTP requests beginning with <base_url>/rest/scriptrunner-confluence/*/space_admin/ mitigates the vulnerability.

To verify the workaround is applied correctly check that requests to <base_url>/rest/scriptrunner-confluence/*/space_admin/ are denied.

Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.

Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties. To verify the workaround is applied correctly check that requests to <base_url>/rest/scriptrunner-confluence/*/space_admin/ are denied.

Apache HTTPD Reverse Proxy

Apache 2.4 Syntax

Add the following into the .conf file containing the virtualhost that proxies to the Atlassian application.

<LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*">
Require all denied
</LocationMatch>

Example:

<VirtualHost *:80>
ServerName confluence.example.com

    ProxyRequests Off
    ProxyVia Off
    <Proxy *>
         Require all granted
    </Proxy>
    ProxyPass /confluence  http://ipaddress:8080/confluence
    ProxyPassReverse /confluence  http://ipaddress:8080/confluence

    <LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*">
        Require all denied
    </LocationMatch>
</VirtualHost>

Apache 2.2 Syntax

Add the following into the .conf file containing the virtualhost that proxies to the Atlassian application:

<LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*">
Order Allow,Deny
Deny from  all
</LocationMatch>

Example:

<VirtualHost *:80>
ServerName confluence.example.com
    ProxyRequests Off
    ProxyVia Off
    <Proxy *>
         Require all granted
    </Proxy>
    ProxyPass /confluence  http://ipaddress:8080/confluence
    ProxyPassReverse /confluence  http://ipaddress:8080/confluence
    <LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*">
         Order Allow,Deny
         Deny from  all
    </LocationMatch>
</VirtualHost>

Tomcat urlrewrite.xml

Redirect requests to /rest/scriptrunner-confluence/.*/space_admin/.* to a safe URL.

  1. Add the following to the <urlrewrite> section of [confluence-installation-directory]/atlassian-confluence/WEB-INF/urlrewrite.xml
<rule>
<from>/rest/scriptrunner-confluence/.*/space_admin/.*</from>
<to type="temporary-redirect">/</to>
</rule>   

2. Save the urlrewrite.xml.

3. Restart the Atlassian application.

Known Issues

  • SPLAT-948 - Conditions on Script Fragments will be hidden from the UI

Bug Fixes

  • SRCONF-1094 - Error when running Bulk Delete Attachments script as Space Admin

  • SRCONF-1093 - Error when running Bulk Delete Comments script as Space Admin

  • SRCONF-1092 - Error when running Bulk Add/Remove Labels on One or More Pages script as Space Admin

  • SRCONF-1084 - Error when running Space Statistics as space admin

5.6.15

  • Released 11 Feb 2020

Bug Fixes

  • SRPLAT-912 - Script Editor has been fixed

  • SRPLAT-566 - Browse Page now maintains search input focus

  • SRCONF-1026 - Space Statistics failed when the Space Key value was In

5.6.14

  • Released 27 Jan 2020

Bug Fixes

  • SRPLAT-908 - A bug that prevented editing of previously configured script files has been fixed

  • SRCONF-1069 - A bug that prevented the Bulk Delete Attachments built-in script from respecting the minimum age has been fixed

5.6.13

  • Released 22 Jan 2020

Updates

IntelliJ IDEA Plugin Deprecation

We are officially deprecating the IntelliJ IDEA plugin, also known as the Adaptavist Power Editor. ScriptRunner 5.6.13 contains the last bugfix we will ship for this feature, and 0.7.20 is the last release we will make on the JetBrains marketplace. Future support requests for this feature will be referred to this deprecation notice.

As can be seen from the review history on our JetBrains marketplace listing, we haven’t been consistently keeping up with JetBrains’s quarterly release schedule, due to prioritization constraints.

Reasons for the Change

Two key concerns motivated our decision to deprecate: the opportunity cost of developing the Adaptavist Power Editor and its overlap with other ScriptRunner features.

The IntelliJ IDEA platform is a rich, fast-moving one. Just about every release requires refactoring some part of our plugin’s codebase. As users of IntelliJ IDEA, we love this rapid development. However, it is a challenge to keep up with developing a secondary plugin that is not our core product, while also keeping an eye on the Atlassian release cycle. While IntelliJ IDEA was an interesting platform to expand into, it required more focus than we were able to give it.

Further, we are continuing to maintain and develop two other features which meet most of the needs met by the IntelliJ Plugin. These are the Code Editor and the scriptrunner-samples repository for local development.

The Code Editor provides smart completions, parameter hints, and javadoc lookup. While that’s nowhere near the feature set provided by IntelliJ IDEA, it does provide a rich development experience, one which we’d like to develop further. Most importantly, the Code Editor is up and running by default with no setup.

For users who want a deeper development experience and don’t mind some setup, developing a Script Plugin affords a fully featured IDE, git integration, the ability to save script configuration as code, and other developer tools.

With the addition of the Code Editor (with built-in autocompletion), and the new Script Editor (allowing users to save files in script roots), the Adaptavist Power Editor had a very niche user base with a very high maintenance burden. Although we had reservations about deprecating the IntelliJ IDEA integration due to feature loss in the short term, increased investment in the core ScriptRunner product is our priority.

Continuing to let the Adaptavist Power Editor lag with late compatibility updates wasn’t fair to our users, and we are committed to delivering more new features and improvements to the ScriptRunner product itself.

Ultimately, creating a plugin for IntelliJ IDEA was a valuable experiment. It taught us important lessons about providing a rich code editor that we still want to incorporate into the core Code Editor. We would love to hear from you which aspects you found most valuable. Please contact us through our support portal if there are features you would like to request for the Code Editor.

We are Dropping Support for Custom Macro Variables

As of this release, we will no longer be supporting or advertising the ability to extend our internal macro classes. Given that our macros weren’t initially designed as an external API with extendability in mind, we’ve decided that it would be irresponsible to continue promoting them as such. That being said, we will not be removing the ability to extend them entirely. It will absolutely still be possible to extend our built-in macros and make custom configurations with them.

To demonstrate, as of now, you can use the following steps to specify your own variables using the Create Page macro:

  1. Navigate to your script root.

    The default is <Confluence>/home/scripts. Select Script Roots for more information.

  2. Create the package com.onresolve.scriptrunner.canned.confluence.macros in your script root.

  3. Navigate to the package you just created and create a new groovy class CreatePageMacroModified.groovy inside the macros folder.

    This extends the old class and overrides the setCustomVariables() method. Using a descriptive class name is recommended.

  4. Populate the class:

    package com.onresolve.scriptrunner.canned.confluence.macros

import .../**
 * Overrides custom variables in the Create Page Macro to specify new variable behaviour
 */
class CreatePageMacroModified extends CreatePageMacro {

    @Inject
    CreatePageMacroModified(
        PageManager pageManager, SpaceManager spaceManager, PageTemplateManager pageTemplateManager, SettingsManager settingsManager, ContentPropertyManager contentPropertyManager) {
        super(ComponentLocator.getComponent(I18NBeanFactory), pageManager, spaceManager, pageTemplateManager, ComponentLocator.getComponent(PermissionManager), ComponentLocator.getComponent(SubRenderer), settingsManager, contentPropertyManager)
    }

    @Override
    protected Map<String, String> setCustomVariables() {
        Map<String, String> customVariables = new HashMap<>()
        customVariables.put("\$myVariable", "This is my custom variable")
        customVariables.put("\$epoch", String.valueOf(Instant.now().toEpochMilli()))

        return customVariables
    }
}

It’s important to note that the constructors for each of our built-in macros are subject to change without notice. There is no guarantee that this code will work in the future in the event that we decide to make changes to these classes.

   5. Disable the old macro in the Script Macros section in Confluence Administration.

   6. Finally, enable the new macro in the Script Macros section in Confluence Administration.

Bug Fixes

  • SRPLAT-830 - IntelliJ Integration that was broken in 5.6.6 and beyond, is now fixed

  • SRCONF-1016 - Macro Overrides had incorrect constructors

  • SRCONF-1068 - The Script fragments page has been updated with Browse functionality

  • SRCONF-1056 - The Jobs page has been updated with Browse functionality

5.6.12

  • Released 22 Jan 2020

Updates

ScriptRunner Remote Events Code Execution Vulnerability

An HTTP POST made to /rest/scriptrunner/latest/remote-events with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.

This security vulnerability has been fixed in ScriptRunner 5.6.12; it is recommended all customers upgrade to 5.6.12+ where possible.

If no firewall is enabled, users must update ScriptRunner to include this security patch.

Temporary Workaround

If you are unable to upgrade immediately, blocking HTTP requests beginning with <base_url>rest/scriptrunner/*/remote-events mitigates the vulnerability.

To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.

Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.

Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties. To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.

Apache HTTPD Reverse Proxy

Apache 2.4 Syntax

Add the following into the .conf file containing the virtualhost that proxies to the Atlassian application.

<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Require all denied
</LocationMatch>
Example:
<VirtualHost *:80>
ServerName jira.example.com
ProxyRequests Off
ProxyVia Off
<Proxy *>
     Require all granted
</Proxy>
ProxyPass /jira  http://ipaddress:8080/jira
ProxyPassReverse /jira  http://ipaddress:8080/jira
    <LocationMatch "/rest/scriptrunner/.*/remote-events/">
        Require all denied
    </LocationMatch>
</VirtualHost>

Apache 2.2 Syntax

Add the following into the .conf file containing the virtualhost that proxies to the Atlassian application:

<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Order Allow,Deny
Deny from  all
</LocationMatch>
Example
<VirtualHost *:80>
ServerName jira.example.com
    ProxyRequests Off
    ProxyVia Off
    <Proxy *>
         Require all granted
    </Proxy>
    ProxyPass /jira  http://ipaddress:8080/jira
    ProxyPassReverse /jira  http://ipaddress:8080/jira
    <LocationMatch "/rest/scriptrunner/.*/remote-events/">
         Order Allow,Deny
         Deny from  all
    </LocationMatch>
</VirtualHost>

Tomcat urlrewrite.xml

Redirect requests to /rest/scriptrunner/.*/remote-events/.* to a safe URL.

  1. Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    <rule>
<from>/rest/scriptrunner/.*/remote-events/.*</from>
<to type="temporary-redirect">/</to>
</rule>

  2. Save the urlrewrite.xml.

  3. Restart the Atlassian application.

5.6.11

  • Released 09 Jan 2020

New Features

Folder Support in Script Editor

You can now use the Context menu to create new folders in the script root directory.

Script Editor also supports the creation of nested folders, just separate them using the / character.

Folders (and files) can be moved around the file tree using drag-and-drop.

Deletion Support in Script Editor

You can now remove files and folders directly from the Script Editor UI. Just right-click on the file or folder you want to remove and select Delete from the Context menu.

Renaming Support in Script Editor

You can now rename files and folders using the context menu option Rename, which is available on each node in Script Editor.

Execution History

Execution History was added to Search Extractors and Custom CQL Functions.

You can use Execution History to view up to two years of execution times and failure rates of ScriptRunner scripts in your instance, allowing a long-term view of script performance.

Breaking Change to Internal API

An internal API, CQLSearchUtils class has been changed to use dependency injection. This should be invisible to most users, but if you have a custom script using the CQLSearchUtils class, you will need to change how you retrieve & use it.

In prior versions of ScriptRunner for Confluence, you could use CQLSearchUtils to get pages using a static method:

import com.onresolve.scriptrunner.canned.confluence.utils.CQLSearchUtils

def cqlQuery = 'space = KEY' // some CQL query
def pages = CQLSearchUtils.searchForContent(cqlQuery)

Now, you need to retrieve it as a Spring bean.

import ...def cqlSearchUtils = ScriptRunnerImpl.scriptRunner.getBean(CQLSearchUtils)
def cqlQuery = 'space = KEY' // some CQL query
def pages = cqlSearchUtils.searchForContent(cqlQuery)

Bug Fixes

5.6.9

  • Released 12 Dec 2019

Bug Fixes

  • SRPLAT-670 - An exception was generated when adding or removing an event in the Events field on the Custom Event Listener screen.

  • SRCONF-943 - Selecting the Advanced Space Functionality option while on version 5.6.6 caused high CPU loads and, in some cases, the page did not load.

5.6.8

  • Released 27 Nov 2019

New Features

Browse Page Update

ScriptRunner for Confluence Browse page concepts are now on the Event Listeners, Script Macros, and Built-In Scripts pages. You can now search all ScriptRunner functionality, like you can on the Browse page, using the search bar on each page.

For example, the Event Listeners search bar is pictured below:

Custom Macros Documentation Update

Security vulnerabilities involving custom macros are explained in the Security and Best Practices documentation. Additionally, code samples in the Custom Macros documentation were updated to show more secure code.

Bug Fixes

  • SRPLAT-836 - ScriptRunner did not clean up MultiParentClassLoader on plugin-enabled events

5.6.7

  • Released 11 Nov 2019

New Features

Label Tools Macros are Now Native Features of ScriptRunner for Confluence

Previously the Add Label macro and Choose Label macro were housed in their own plugin (Label Tools), which depended on ScriptRunner.

In this release, Label Tools has been merged into ScriptRunner for Confluence to reduce your maintenance burden and speed up the release cycle for all ScriptRunner features.

Upgrade Path

The upgrade path may be more or less complicated, depending on which version of ScriptRunner you currently have installed and which of the old dependent plugins you have installed, if any.

Most likely, you can simply install ScriptRunner for Confluence 5.6.7, uninstall the old Label Tools plugin (if you have it), and be done. If you encounter problems, read on.

Troubleshooting the Upgrade

If something goes wrong while you’re upgrading, try these steps:

  1. Disable ScriptRunner and all dependent plugins.

  2. Enable ScriptRunner for Confluence 5.6.7.

  3. Uninstall all of the old Label Tools, Create Page, and Page Information plugins.

  4. If you are using the Notifications dependent plugin, then you can re-enable it.

If you encounter any issues that aren’t resolved by the above steps, please do not hesitate to contact us via our Support Portal.

For further details about the upgrade path for different environments, read on.

For Users Without Any Dependent Plugins

If you do not have any dependent plugins installed at all (Create Page, Page Information, Label Tools, or Notifications), this update should not require any action from you other than installation. That said, we encourage you to give the Choose Label macro and the Add Label macro a try! Both macros were useful in their standalone plugin, and they’ll make nice additions to your macro portfolio now that they are part of ScriptRunner for Confluence.

If you would prefer not to have either of these macros, they can be disabled just like any other script macro from the Script Macros administration page.

Bug Fixes

  • SRPLAT-774 - There was a MissingPropertyException in subclasses of AbstractBaseRestEndpoint when accessing the log field

  • SRPLAT-773 - YAML files were not auto-deploying saved script configurations in custom plugin jars

  • SRCONF-835 - The browser Back button on the Create Page macro screen was fixed

  • SRCONF-508 - Log output was not consistent in the Logs tab of the Script Console screen

5.6.6

  • Released 28 Oct 2019

New Features

Create Page and Page Information Macros Are Now Native Features of ScriptRunner for Confluence

Previously the Create Page macro and Page Info macro were housed in their own plugins, and the plugins depended on ScriptRunner. The two plugins have been merged into ScriptRunner for Confluence to reduce your maintenance burden and speed up the release cycle for all ScriptRunner features.

Upgrade Path

The upgrade path may be more or less complicated, depending on which of the dependent plugins you have installed, if any.

Troubleshooting Upgrades

If something goes wrong while you’re upgrading, try these steps:

  1. Disable ScriptRunner and all dependent plugins.

  2. Enable ScriptRunner for Confluence 5.6.4.

  3. Make sure the old Create Page and Page Information plugins are uninstalled.

  4. If you are using the Label Tools or Notifications dependent plugins, then you can re-enable those.

If you encounter any issues that aren’t resolved by the above steps, please do not hesitate to contact us via our Support Portal.

For further details about the upgrade path for different environments, read on.

Users Without Dependent Plugins

If you do not have any dependent plugins installed at all (Create Page, Page Information, Label Tools, or Notifications), this update should not require any action from you. However, we encourage you to give Create Page and Page Information a try! Both macros were useful plugins on their own, and they’ll make a nice new addition to your macro portfolio.

If you would prefer not to have these macros, they can be disabled just like any other script macro from the Script Macros administration page.

Users With Create Page or Page Information Plugins Already Installed

If you currently have either the Create Page plugin or the Page Information plugin installed, you should be able to install this release without issues. You can see what apps you currently have installed via the Confluence’s Manage Add-ons page.

The old Create Page plugin and Page Information plugins are still installed after you upgrade, but they should be disabled.

You should uninstall them immediately after upgrading.

Once the old plugins are uninstalled, existing uses of the Create Page and Page Information macros in your Confluence pages will continue to work as normal. This has been confirmed through backward compatibility testing, including in the Confluence instance where we use these macros.

Users With Dependent Plugins Besides Create Page and Page Information

The Label Tools plugin will need to be updated to work with this version of ScriptRunner for Confluence.

The latest releases of both Label Tools and Notifications should be compatible with this release of ScriptRunner for Confluence.

The current plan is to merge the Label Tools plugin into ScriptRunner for Confluence next. We do not have a firm release date, but it will be announced in the release notes as usual.

The Notifications plugin is under evaluation to determine if the plugin’s functionality should be merged as is or if building on ScriptRunner for Confluence’s features and providing a migration path would be best.

Ability to Limit Which confluence-administrators Groups Can Edit ScriptRunner Scripts

You can now configure which groups with Confluence Administrator permissions can create or edit scripts. For more information, see the documentation.

Fix for SRPLAT-560 - Occasional NoClassDefFound with @WithPlugin compilation customizer

Dynamically adding and removing plugin classloaders was found to be impractical and unreliable due to lack of control over classloader caches.

The behavior has changed so that when any @WithPlugin annotation is detected, the classloader from the selected plugin(s) is available to all scripts. This is true when using @WithPlugin or not in subsequent script executions. This change does not affect performance as the system classloaders are first in the classloader order.

Continue to add @WithPlugin to any scripts that use classes from other plugins. Without this, after a restart, successful script compiling will be dependent on the order of execution. Static type checking will show errors if you forget to use @WithPlugin.

Other New Features

  • SRCONF-763 - Bulk Delete Attachments now deletes old attachments

  • SRCONF-730 - A built-in script that clears the Groovy Classloader was added

  • Manage your .groovy script files using the new ScriptRunner Script Editor

Bug Fixes

  • SRPLAT-715 - The use of class autocompletion with an as cast operation was fixed.

  • SRPLAT-712 - An exception thrown by getting docs on a variable no longer occurs.

  • SRPLAT-709 - The fragment finder context variables overlay was added.

  • SRPLAT-703 - The missing Idea Integration icon was added back to code editors.

  • SRCONF-835 - Create Page was fixed to work with the browser Back button.

  • SRCONF-830 - After upgrade, the Create Page macro caused StaleStateException on Confluence instances using MySQL.

  • SRCONF-802 - The Mugshot Gallery macro did not work for all authenticated users.

  • SRCONF-776 - All Confluence features with a code editor were fixed to abide by script edit permissions.

  • SRCONF-770 - Script Console was fixed to not appear for users without script edit permissions.

  • SRCONF-750 - The Browse Page link was fixed not to appear when it was not enabled.

  • SRCONF-575 - Old event listeners were not removed when scripts were updated.

  • SRCONF-435 - CQL did not run when editing the script job.

  • SRCONF-728 - Data from existing macros in the old plugin was handled in the plugin migration to ScriptRunner for Confluence

  • SRCONF-670 - The Create Page macro was migrated to ScriptRunner for Confluence

On this page