- Released 13 Aug 2019
Critical Security Update
This release fixes a security vulnerability that has been discovered in ScriptRunner for Confluence. The vulnerability affects version 4.3.1 - 5.5.8 (inclusive) of ScriptRunner for Confluence.
The vulnerability is classified as critical in line with Atlassian’s Security Levels.
The Markdown macro in ScriptRunner for Confluence enables users to render a markdown document in a page, blogpost or comment. The vulnerability is a Server Side Request Forgery (SSRF) that can be exploited by an unauthorized user to access internal resources accessible to the Confluence server, including files.
After you upgrade, a Confluence administrator will need to add the websites hosting approved Markdown documents to Confluence’s whitelist. Follow the detailed instructions in the Markdown Macro documentation on the whitelist.
How to Find URLs to Whitelist
The easiest way to find affected content is to do a quick search for which pages contain the Markdown Macro. ScriptRunner for Confluence makes this easy by adding a CQL Search feature right into Confluence???s main search.
To make use of it, start typing a search query and the search panel should pop out. Click Advanced Search.
On the search page, enter this query into the search box:
macro = markdown
…then click the CQL Search button. A list of pages with the Markdown Macro should appear.
From the search results, you can visit a page and edit it to see the URL used for that content.
You do not need to whitelist each individual URL. Confluence’s whitelist allows administrators to specify permitted domains or URL patterns. We recommend whitelisting https://bitbucket.com, https://raw.githubusercontent.com, and https://raw.github.com by default, as they will represent some of the most common use cases for this macro. All HTML produced by the Markdown Macro is sanitized to protect against cross-site scripting attacks, but you may use a more restrictive pattern such as at your discretion. Any linked Atlassian applications, such as a linked Bitbucket Server instance, will be whitelisted by default as well.
Replacing File URLs
One of the use cases originally supported by the Markdown Macro was specifying file paths on the server or on remote FTP servers using URLs with the
As the Confluence whitelist only supports
https URLs, supporting file-based URLs requires a workaround. To that end, we have documented how to setup a REST Endpoint to securely read files from the filesystem on the Confluence server (including network shares) or from remote FTP servers.
- Released 10 July 2019
- [SRCONF-397] - Lock-content macro: Error message when restricting a group in template
- [SRCONF-471] - Built-in macros not available to select
- Released 19 June 2019
- [SRCONF-708] - Javadoc lookup for Confluence
- [SRPLAT-96] - Custom event listeners should be able to listen to events provided by plugins
- [SRCONF-706] - ScriptRunner for Confluence + Comala Workflows
- [SRCONF-416] - Event Handler name consistency
- [SRCONF-704] - Custom script macro & Smart code editor
- [SRCONF-535] - To fix Currency Converter feature
- Released 15 May 2019.
Anonymous Analytics collects data allowing Adaptavist to gain insight into ScriptRunner usage. A new settings option allows administrators to switch Anonymous Analytics on or off. See our documentation for more information.
This release includes our first version of code insight, a set of features designed to increase productivity, discovery, and enjoyement, when writing code in ScriptRunner.
This consists of code completions, parameter lookups, and javadoc links (javadoc links currently for Jira only).
Take a look at the documentation for more information.