5.6.x
5.6.16
- Released 18 Feb 2020
Updates
Critical Security Vulnerabilities Fixed
This release fixes critical security vulnerabilities around the Space Admin Built-In scripts for ScriptRunner for Confluence. See SRCONF-1097 for details about the vulnerability.
Temporary Workaround
If you are unable to upgrade immediately, blocking HTTP requests beginning with <base_url>/rest/scriptrunner-confluence/*/space_admin/
mitigates the vulnerability.
To verify the workaround is applied correctly check that requests to <base_url>/rest/scriptrunner-confluence/*/space_admin/
are denied.
Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.
Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties. To verify the workaround is applied correctly check that requests to <base_url>/rest/scriptrunner-confluence/*/space_admin/ are denied.
Apache HTTPD Reverse Proxy
Apache 2.4 Syntax
Add the following into the .conf
file containing the virtualhost that proxies to the Atlassian application.
<LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*"> Require all denied </LocationMatch>
Example:
<VirtualHost *:80> ServerName confluence.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /confluence http://ipaddress:8080/confluence ProxyPassReverse /confluence http://ipaddress:8080/confluence <LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*"> Require all denied </LocationMatch> </VirtualHost>
Apache 2.2 Syntax
Add the following into the .conf
file containing the virtualhost that proxies to the Atlassian application:
<LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*"> Order Allow,Deny Deny from all </LocationMatch>
Example:
<VirtualHost *:80> ServerName confluence.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /confluence http://ipaddress:8080/confluence ProxyPassReverse /confluence http://ipaddress:8080/confluence <LocationMatch "/rest/scriptrunner-confluence/.*/space_admin/.*"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost>
Tomcat urlrewrite.xml
Redirect requests to /rest/scriptrunner-confluence/.*/space_admin/.*
to a safe URL.
- Add the following to the
<urlrewrite>
section of[confluence-installation-directory]/atlassian-confluence/WEB-INF/urlrewrite.xml
:
<rule> <from>/rest/scriptrunner-confluence/.*/space_admin/.*</from> <to type="temporary-redirect">/</to> </rule>
2. Save the urlrewrite.xml
.
3. Restart the Atlassian application.
Known Issues
SPLAT-948 - Conditions on Script Fragments will be hidden from the UI
Bug Fixes
SRCONF-1094 - Error when running Bulk Delete Attachments script as Space Admin
SRCONF-1093 - Error when running Bulk Delete Comments script as Space Admin
SRCONF-1092 - Error when running Bulk Add/Remove Labels on One or More Pages script as Space Admin
SRCONF-1084 - Error when running Space Statistics as space admin
5.6.15
- Released 11 Feb 2020
Bug Fixes
SRPLAT-912 - Script Editor has been fixed
SRPLAT-566 - Browse Page now maintains search input focus
SRCONF-1026 - Space Statistics failed when the Space Key value was In
5.6.14
- Released 27 Jan 2020
Bug Fixes
SRPLAT-908 - A bug that prevented editing of previously configured script files has been fixed
SRCONF-1069 - A bug that prevented the Bulk Delete Attachments built-in script from respecting the minimum age has been fixed
5.6.13
- Released 22 Jan 2020
Updates
IntelliJ IDEA Plugin Deprecation
We are officially deprecating the IntelliJ IDEA plugin, also known as the Adaptavist Power Editor. ScriptRunner 5.6.13 contains the last bugfix we will ship for this feature, and 0.7.20 is the last release we will make on the JetBrains marketplace. Future support requests for this feature will be referred to this deprecation notice.
As can be seen from the review history on our JetBrains marketplace listing, we haven’t been consistently keeping up with JetBrains’s quarterly release schedule, due to prioritization constraints.
Reasons for the Change
Two key concerns motivated our decision to deprecate: the opportunity cost of developing the Adaptavist Power Editor and its overlap with other ScriptRunner features.
The IntelliJ IDEA platform is a rich, fast-moving one. Just about every release requires refactoring some part of our plugin’s codebase. As users of IntelliJ IDEA, we love this rapid development. However, it is a challenge to keep up with developing a secondary plugin that is not our core product, while also keeping an eye on the Atlassian release cycle. While IntelliJ IDEA was an interesting platform to expand into, it required more focus than we were able to give it.
Further, we are continuing to maintain and develop two other features which meet most of the needs met by the IntelliJ Plugin. These are the Code Editor and the scriptrunner-samples
repository for local development.
The Code Editor provides smart completions, parameter hints, and javadoc lookup. While that’s nowhere near the feature set provided by IntelliJ IDEA, it does provide a rich development experience, one which we’d like to develop further. Most importantly, the Code Editor is up and running by default with no setup.
For users who want a deeper development experience and don’t mind some setup, developing a Script Plugin affords a fully featured IDE, git integration, the ability to save script configuration as code, and other developer tools.
With the addition of the Code Editor (with built-in autocompletion), and the new Script Editor (allowing users to save files in script roots), the Adaptavist Power Editor had a very niche user base with a very high maintenance burden. Although we had reservations about deprecating the IntelliJ IDEA integration due to feature loss in the short term, increased investment in the core ScriptRunner product is our priority.
Continuing to let the Adaptavist Power Editor lag with late compatibility updates wasn’t fair to our users, and we are committed to delivering more new features and improvements to the ScriptRunner product itself.
Ultimately, creating a plugin for IntelliJ IDEA was a valuable experiment. It taught us important lessons about providing a rich code editor that we still want to incorporate into the core Code Editor. We would love to hear from you which aspects you found most valuable. Please contact us through our support portal if there are features you would like to request for the Code Editor.
We are Dropping Support for Custom Macro Variables
As of this release, we will no longer be supporting or advertising the ability to extend our internal macro classes. Given that our macros weren’t initially designed as an external API with extendability in mind, we’ve decided that it would be irresponsible to continue promoting them as such. That being said, we will not be removing the ability to extend them entirely. It will absolutely still be possible to extend our built-in macros and make custom configurations with them.
To demonstrate, as of now, you can use the following steps to specify your own variables using the Create Page macro:
Navigate to your script root.
The default is <Confluence>/home/scripts. Select Script Roots for more information.
Create the package
com.onresolve.scriptrunner.canned.confluence.macros
in your script root.Navigate to the package you just created and create a new groovy class
CreatePageMacroModified.groovy
inside the macros folder.This extends the old class and overrides the
setCustomVariables()
method. Using a descriptive class name is recommended.Populate the class:
package com.onresolve.scriptrunner.canned.confluence.macros import/** * Overrides custom variables in the Create Page Macro to specify new variable behaviour */ class CreatePageMacroModified extends CreatePageMacro { @Inject CreatePageMacroModified( PageManager pageManager, SpaceManager spaceManager, PageTemplateManager pageTemplateManager, SettingsManager settingsManager, ContentPropertyManager contentPropertyManager) { super(ComponentLocator.getComponent(I18NBeanFactory), pageManager, spaceManager, pageTemplateManager, ComponentLocator.getComponent(PermissionManager), ComponentLocator.getComponent(SubRenderer), settingsManager, contentPropertyManager) } @Override protected Map<String, String> setCustomVariables() { Map<String, String> customVariables = new HashMap<>() customVariables.put("\$myVariable", "This is my custom variable") customVariables.put("\$epoch", String.valueOf(Instant.now().toEpochMilli())) return customVariables } }
It’s important to note that the constructors for each of our built-in macros are subject to change without notice. There is no guarantee that this code will work in the future in the event that we decide to make changes to these classes.
5. Disable the old macro in the Script Macros section in Confluence Administration.
6. Finally, enable the new macro in the Script Macros section in Confluence Administration.
Bug Fixes
SRPLAT-830 - IntelliJ Integration that was broken in 5.6.6 and beyond, is now fixed
SRCONF-1016 - Macro Overrides had incorrect constructors
SRCONF-1068 - The Script fragments page has been updated with Browse functionality
SRCONF-1056 - The Jobs page has been updated with Browse functionality
5.6.12
- Released 22 Jan 2020
Updates
ScriptRunner Remote Events Code Execution Vulnerability
An HTTP POST made to /rest/scriptrunner/latest/remote-events
with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.
This security vulnerability has been fixed in ScriptRunner 5.6.12; it is recommended all customers upgrade to 5.6.12+ where possible.
If no firewall is enabled, users must update ScriptRunner to include this security patch.
Temporary Workaround
If you are unable to upgrade immediately, blocking HTTP requests beginning with <base_url>rest/scriptrunner/*/remote-events
mitigates the vulnerability.
To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.
Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.
Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties. To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.
Apache HTTPD Reverse Proxy
Apache 2.4 Syntax
Add the following into the .conf
file containing the virtualhost that proxies to the Atlassian application.
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Require all denied </LocationMatch> Example: <VirtualHost *:80> ServerName jira.example.com
ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Require all denied </LocationMatch> </VirtualHost>
Apache 2.2 Syntax
Add the following into the .conf
file containing the virtualhost that proxies to the Atlassian application:
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Order Allow,Deny Deny from all </LocationMatch> Example <VirtualHost *:80> ServerName jira.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira <LocationMatch "/rest/scriptrunner/.*/remote-events/"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost>
Tomcat urlrewrite.xml
Redirect requests to /rest/scriptrunner/.*/remote-events/.*
to a safe URL.
Add the following to the
<urlrewrite>
section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml
:<rule> <from>/rest/scriptrunner/.*/remote-events/.*</from> <to type="temporary-redirect">/</to> </rule>
Save the
urlrewrite.xml
.Restart the Atlassian application.
5.6.11
- Released 09 Jan 2020
New Features
Folder Support in Script Editor
You can now use the Context menu to create new folders in the script root directory.
Script Editor also supports the creation of nested folders, just separate them using the /
character.
Folders (and files) can be moved around the file tree using drag-and-drop.
Deletion Support in Script Editor
You can now remove files and folders directly from the Script Editor UI. Just right-click on the file or folder you want to remove and select Delete from the Context menu.
Renaming Support in Script Editor
You can now rename files and folders using the context menu option Rename, which is available on each node in Script Editor.
Execution History
Execution History was added to Search Extractors and Custom CQL Functions.
You can use Execution History to view up to two years of execution times and failure rates of ScriptRunner scripts in your instance, allowing a long-term view of script performance.
Breaking Change to Internal API
An internal API, CQLSearchUtils
class has been changed to use dependency injection. This should be invisible to most users, but if you have a custom script using the CQLSearchUtils
class, you will need to change how you retrieve & use it.
In prior versions of ScriptRunner for Confluence, you could use CQLSearchUtils
to get pages using a static method:
import com.onresolve.scriptrunner.canned.confluence.utils.CQLSearchUtils
def cqlQuery = 'space = KEY' // some CQL query
def pages = CQLSearchUtils.searchForContent(cqlQuery)
Now, you need to retrieve it as a Spring bean.
importdef cqlSearchUtils = ScriptRunnerImpl.scriptRunner.getBean(CQLSearchUtils)
def cqlQuery = 'space = KEY' // some CQL query
def pages = cqlSearchUtils.searchForContent(cqlQuery)
Bug Fixes
SRPLAT-873 - Settings could have been null, which caused NPE in various locations
SRPLAT-864 - An invalid object name, null.AO_31728E_SR_USER_PROP, was added when the plugin was run against an instance running on MS SQL Server
SRCONF-942 - Execution History was added to Search Extractors
SRCONF-941 - Execution History was added to Custom CQL Functions
SRCONF-999 - Browse features were removed from Advanced Space Functionality
5.6.9
- Released 12 Dec 2019
Bug Fixes
SRPLAT-670 - An exception was generated when adding or removing an event in the Events field on the Custom Event Listener screen.
SRCONF-943 - Selecting the Advanced Space Functionality option while on version 5.6.6 caused high CPU loads and, in some cases, the page did not load.
5.6.8
- Released 27 Nov 2019
New Features
Browse Page Update
ScriptRunner for Confluence Browse page concepts are now on the Event Listeners, Script Macros, and Built-In Scripts pages. You can now search all ScriptRunner functionality, like you can on the Browse page, using the search bar on each page.
For example, the Event Listeners search bar is pictured below:
Custom Macros Documentation Update
Security vulnerabilities involving custom macros are explained in the Security and Best Practices documentation. Additionally, code samples in the Custom Macros documentation were updated to show more secure code.
Bug Fixes
SRPLAT-836 - ScriptRunner did not clean up
MultiParentClassLoader
on plugin-enabled events
5.6.7
- Released 11 Nov 2019
New Features
Label Tools Macros are Now Native Features of ScriptRunner for Confluence
Previously the Add Label macro and Choose Label macro were housed in their own plugin (Label Tools), which depended on ScriptRunner.
In this release, Label Tools has been merged into ScriptRunner for Confluence to reduce your maintenance burden and speed up the release cycle for all ScriptRunner features.
Upgrade Path
The upgrade path may be more or less complicated, depending on which version of ScriptRunner you currently have installed and which of the old dependent plugins you have installed, if any.
Most likely, you can simply install ScriptRunner for Confluence 5.6.7, uninstall the old Label Tools plugin (if you have it), and be done. If you encounter problems, read on.
Troubleshooting the Upgrade
If something goes wrong while you’re upgrading, try these steps:
Disable ScriptRunner and all dependent plugins.
Enable ScriptRunner for Confluence 5.6.7.
Uninstall all of the old Label Tools, Create Page, and Page Information plugins.
If you are using the Notifications dependent plugin, then you can re-enable it.
If you encounter any issues that aren’t resolved by the above steps, please do not hesitate to contact us via our Support Portal.
For further details about the upgrade path for different environments, read on.
For Users Without Any Dependent Plugins
If you do not have any dependent plugins installed at all (Create Page, Page Information, Label Tools, or Notifications), this update should not require any action from you other than installation. That said, we encourage you to give the Choose Label macro and the Add Label macro a try! Both macros were useful in their standalone plugin, and they’ll make nice additions to your macro portfolio now that they are part of ScriptRunner for Confluence.
If you would prefer not to have either of these macros, they can be disabled just like any other script macro from the Script Macros administration page.
Bug Fixes
SRPLAT-774 - There was a
MissingPropertyException
in subclasses ofAbstractBaseRestEndpoint
when accessing the log fieldSRPLAT-773 - YAML files were not auto-deploying saved script configurations in custom plugin jars
SRCONF-835 - The browser Back button on the Create Page macro screen was fixed
SRCONF-508 - Log output was not consistent in the Logs tab of the Script Console screen
5.6.6
- Released 28 Oct 2019
New Features
Create Page and Page Information Macros Are Now Native Features of ScriptRunner for Confluence
Previously the Create Page macro and Page Info macro were housed in their own plugins, and the plugins depended on ScriptRunner. The two plugins have been merged into ScriptRunner for Confluence to reduce your maintenance burden and speed up the release cycle for all ScriptRunner features.
Upgrade Path
The upgrade path may be more or less complicated, depending on which of the dependent plugins you have installed, if any.
Troubleshooting Upgrades
If something goes wrong while you’re upgrading, try these steps:
Disable ScriptRunner and all dependent plugins.
Enable ScriptRunner for Confluence 5.6.4.
Make sure the old Create Page and Page Information plugins are uninstalled.
If you are using the Label Tools or Notifications dependent plugins, then you can re-enable those.
If you encounter any issues that aren’t resolved by the above steps, please do not hesitate to contact us via our Support Portal.
For further details about the upgrade path for different environments, read on.
Users Without Dependent Plugins
If you do not have any dependent plugins installed at all (Create Page, Page Information, Label Tools, or Notifications), this update should not require any action from you. However, we encourage you to give Create Page and Page Information a try! Both macros were useful plugins on their own, and they’ll make a nice new addition to your macro portfolio.
If you would prefer not to have these macros, they can be disabled just like any other script macro from the Script Macros administration page.
Users With Create Page or Page Information Plugins Already Installed
If you currently have either the Create Page plugin or the Page Information plugin installed, you should be able to install this release without issues. You can see what apps you currently have installed via the Confluence’s Manage Add-ons page.
The old Create Page plugin and Page Information plugins are still installed after you upgrade, but they should be disabled.
You should uninstall them immediately after upgrading.
Once the old plugins are uninstalled, existing uses of the Create Page and Page Information macros in your Confluence pages will continue to work as normal. This has been confirmed through backward compatibility testing, including in the Confluence instance where we use these macros.
Users With Dependent Plugins Besides Create Page and Page Information
The Label Tools plugin will need to be updated to work with this version of ScriptRunner for Confluence.
The latest releases of both Label Tools and Notifications should be compatible with this release of ScriptRunner for Confluence.
The current plan is to merge the Label Tools plugin into ScriptRunner for Confluence next. We do not have a firm release date, but it will be announced in the release notes as usual.
The Notifications plugin is under evaluation to determine if the plugin’s functionality should be merged as is or if building on ScriptRunner for Confluence’s features and providing a migration path would be best.
Ability to Limit Which confluence-administrators
Groups Can Edit ScriptRunner Scripts
You can now configure which groups with Confluence Administrator permissions can create or edit scripts. For more information, see the documentation.
Fix for SRPLAT-560 - Occasional NoClassDefFound with @WithPlugin compilation customizer
Dynamically adding and removing plugin classloaders was found to be impractical and unreliable due to lack of control over classloader caches.
The behavior has changed so that when any @WithPlugin
annotation is detected, the classloader from the selected plugin(s) is available to all scripts. This is true when using @WithPlugin
or not in subsequent script executions. This change does not affect performance as the system classloaders are first in the classloader order.
Continue to add @WithPlugin
to any scripts that use classes from other plugins. Without this, after a restart, successful script compiling will be dependent on the order of execution. Static type checking will show errors if you forget to use @WithPlugin
.
Other New Features
SRCONF-763 - Bulk Delete Attachments now deletes old attachments
SRCONF-730 - A built-in script that clears the Groovy Classloader was added
Manage your .groovy script files using the new ScriptRunner Script Editor
Bug Fixes
SRPLAT-715 - The use of class autocompletion with an as cast operation was fixed.
SRPLAT-712 - An exception thrown by getting docs on a variable no longer occurs.
SRPLAT-709 - The fragment finder context variables overlay was added.
SRPLAT-703 - The missing Idea Integration icon was added back to code editors.
SRCONF-835 - Create Page was fixed to work with the browser Back button.
SRCONF-830 - After upgrade, the Create Page macro caused
StaleStateException
on Confluence instances using MySQL.SRCONF-802 - The Mugshot Gallery macro did not work for all authenticated users.
SRCONF-776 - All Confluence features with a code editor were fixed to abide by script edit permissions.
SRCONF-770 - Script Console was fixed to not appear for users without script edit permissions.
SRCONF-750 - The Browse Page link was fixed not to appear when it was not enabled.
SRCONF-575 - Old event listeners were not removed when scripts were updated.
SRCONF-435 - CQL did not run when editing the script job.
SRCONF-728 - Data from existing macros in the old plugin was handled in the plugin migration to ScriptRunner for Confluence
SRCONF-670 - The Create Page macro was migrated to ScriptRunner for Confluence