Vulnerabilities and Security

Security concerns

Sometimes we get reports that ScriptRunner is insecure because, for instance, you can execute a command line program on the Confluence server using the Script Console.

The philosophy of ScriptRunner is to make programming tasks easy. You could write an app in Java, install it in Confluence, and it could execute a command line program, or you could do it in ScriptRunner. Therefore, everything you can do in an app you can do in ScriptRunner. 

Restricting scripting permissions

To upload an app, you need Confluence System administrator permission. By default, to author and/or run a ScriptRunner script, you must have Confluence administrator permissions.

Use the Enable System Admin Only Script Edit Permissions setting to restrict which Confluence Administrators can edit scripts based on groups. When enabled, this setting gives script editing permission to groups with the Confluence System administrator permissions only.

For more details, check out the Permissions page.