Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-82741

Variables in user macro are not resolved

XMLWordPrintable

      Note

      The behaviour described in this issue is as intended as we've restricted the velocity render modules that can be used by User Macros out of the box. Previously the modules that User Macros could access were entirely unrestricted, which presented a potential information disclosure risk. To address this risk, we introduced allow listing of modules for User Macros.

      This change resulted in the issue detailed here. In response, we've improved the User Macro Administration interface to list modules that are used but have not been added to the allow list. Modules should be added to the sparingly to give the least required access possible. Administrators should carefully review what modules are added to ensure usage is in line with their expectations.

      More information on the allow listing and modules available can be found at Confluence objects accessible from Velocity.

      Again, we recommend against allow listing all velocity modules. As such I've removed the previously provided workaround that did just this.

      The fix for this bug has been released to our Long Term Support release.

      The fix for this bug is now available in the latest release of Confluence 7.13 and 7.19

      Problem

      Inserting a User Macro with variables in a Confluence page results in the variables to be displayed as it and not substituted with their values.

      Environment

      Confluence v7.19.7
      Postgres 13
      OS: Linux

      Steps to Reproduce

      1. Login as admin
      2. Define a new User Macro with the below template code: 
        ## @noparams
#set($userDetailsManager = $containerContext.getComponent('userDetailsManager'))

#set( $user = $action.remoteUser)
<h1>
Hello $req.userPrincipal.name</h1>
<br />
Hello $action.remoteUser.name
<br />
Hello $user.name

<pre>
$action.authenticatedUser.name
$action.authenticatedUser.fullName
$action.authenticatedUser.key
$action.dateFormatter.formatGivenString("yyyy-MM-dd", $content.getCreationDate())

</pre>
      1. Set Macro Body Processing to Rendered
      2. Create a new page and add the macro created above.
      3. Save the page

      Expected Results

      (Add expected results for current action)
      Variables in the macro are resolved.

      Actual Results

      (Add actual results for current action)
      Macro displays as shown below:

      Workaround

      Please review the User Macro administration interface and the documentation at Confluence objects accessible from Velocity to determine what modules should be allow listed.

      Modules can be added using the system property below

      -Dmacro.required.velocity.context.keys=comma,seperated,key,values

        1. image-2023-03-27-13-26-52-461.png
          image-2023-03-27-13-26-52-461.png
          109 kB
        2. image-2023-11-09-10-24-49-278.png
          image-2023-11-09-10-24-49-278.png
          806 kB

            [CONFSERVER-82741] Variables in user macro are not resolved

            Jeffery Xie added a comment -

            Hi 1e2a5edf11c0 ,

            Can you please raise a support ticket with necessary information, so that we can use to understand the root cause of your issue. Thanks

            Jeffery Xie added a comment - Hi 1e2a5edf11c0 , Can you please raise a support ticket with necessary information, so that we can use to understand the root cause of your issue. Thanks

            Lucia Valenzise added a comment -

            This problem persists in version 9.2.1

            Lucia Valenzise added a comment - This problem persists in version 9.2.1

            Cornelius Gillner added a comment -

            bfaaa9e76d03 This is not a problem but expected behavior for security reasons. Does the workaorund (aka. fix) not work anymore in 8.5.18? It still does work in the latest v9 LTS.

            Cornelius Gillner added a comment - bfaaa9e76d03 This is not a problem but expected behavior for security reasons. Does the workaorund (aka. fix) not work anymore in 8.5.18? It still does work in the latest v9 LTS.

            Eva van Dyk added a comment -

            This problem persists in version 8.5.18 

            Eva van Dyk added a comment - This problem persists in version 8.5.18 
            Conny Postma made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 845182 ]
            Brent Lin made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 981929 ]

            Jeffery Xie added a comment -

            Hi 330d06edb75b ,

            Sorry to hear that you’re still experiencing this issue on version 8.5.16. Could you please raise a support ticket with detailed information about the problem? This will help us investigate further and identify the root cause. Thank you for your cooperation!

            Jeffery Xie added a comment - Hi 330d06edb75b , Sorry to hear that you’re still experiencing this issue on version 8.5.16. Could you please raise a support ticket with detailed information about the problem? This will help us investigate further and identify the root cause. Thank you for your cooperation!

            Alle Admins added a comment - - edited

            The issue still persists in Confluence 8.5.16 (LTS). Please reopen this issue.

            Alle Admins added a comment - - edited The issue still persists in Confluence 8.5.16 (LTS). Please reopen this issue.
            Eric Lam made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 953800 ]
            Rob made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 952786 ]

              5339cdd01cf4 Jeffery Xie
              63948a2d3746 Marco Salvi
              Affected customers:
              63 This affects my team
              Watchers:
              118 Start watching this issue

                Created:
                Updated:
                Resolved: