-
Bug
-
Resolution: Fixed
-
Highest
-
8.2.0, 7.13.15, 7.19.7, 7.19.8, 8.1.3, 8.1.4, 8.5.6
-
35
-
Severity 2 - Major
-
868
-
The behaviour described in this issue is as intended as we've restricted the velocity render modules that can be used by User Macros out of the box. Previously the modules that User Macros could access were entirely unrestricted, which presented a potential information disclosure risk. To address this risk, we introduced allow listing of modules for User Macros.
This change resulted in the issue detailed here. In response, we've improved the User Macro Administration interface to list modules that are used but have not been added to the allow list. Modules should be added to the sparingly to give the least required access possible. Administrators should carefully review what modules are added to ensure usage is in line with their expectations.
More information on the allow listing and modules available can be found at Confluence objects accessible from Velocity.
Again, we recommend against allow listing all velocity modules. As such I've removed the previously provided workaround that did just this.
The fix for this bug has been released to our Long Term Support release.
The fix for this bug is now available in the latest release of Confluence 7.13 and 7.19
Problem
Inserting a User Macro with variables in a Confluence page results in the variables to be displayed as it and not substituted with their values.
Environment
Confluence v7.19.7
Postgres 13
OS: Linux
Steps to Reproduce
- Login as admin
- Define a new User Macro with the below template code:
## @noparams #set($userDetailsManager = $containerContext.getComponent('userDetailsManager')) #set( $user = $action.remoteUser) <h1> Hello $req.userPrincipal.name</h1> <br /> Hello $action.remoteUser.name <br /> Hello $user.name <pre> $action.authenticatedUser.name $action.authenticatedUser.fullName $action.authenticatedUser.key $action.dateFormatter.formatGivenString("yyyy-MM-dd", $content.getCreationDate()) </pre>
- Set Macro Body Processing to Rendered
- Create a new page and add the macro created above.
- Save the page
Expected Results
(Add expected results for current action)
Variables in the macro are resolved.
Actual Results
(Add actual results for current action)
Macro displays as shown below:
Workaround
Please review the User Macro administration interface and the documentation at Confluence objects accessible from Velocity to determine what modules should be allow listed.
Modules can be added using the system property below
-Dmacro.required.velocity.context.keys=comma,seperated,key,values
- is related to
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Gathering Impact
-
- was cloned as
-
-
- Closed
-
- mentioned in
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
[CONFSERVER-82741] Variables in user macro are not resolved
bfaaa9e76d03 This is not a problem but expected behavior for security reasons. Does the workaorund (aka. fix) not work anymore in 8.5.18? It still does work in the latest v9 LTS.
Hi 330d06edb75b ,
Sorry to hear that you’re still experiencing this issue on version 8.5.16. Could you please raise a support ticket with detailed information about the problem? This will help us investigate further and identify the root cause. Thank you for your cooperation!
The issue still persists in Confluence 8.5.16 (LTS). Please reopen this issue.
By adding the Dmacro.required porperty I got it working in Confluence 8. Is it broken again in Confluence 9? It does not work for me in Confluence 9. Any suggestions?
Hi f4cb74b5c51b,
Solid plan on prioritising availability here.
In this case, we (including Atlassian Security) are really working on a Principle of Least Privilege approach. That's the basis upon which this security improvement was implemented. Unfortunately it was made much more impactful by a break down in our process that meant it wasn't handled the with delicacy expected of a breaking change.
All of the available classes/methods are documented at Confluence objects accessible from Velocity so that you can review what is exposed and if that's inline with your expectation (the apparent part).
I don't think there are any inherently dangerous things we're not mentioning here, just attempting to follow good security practices.
Hopefully this helps.
Thanks,
James Ponting
Engineering Manager - Confluence Data Center
In the User Macros section, Confluence tells you which contexts are required for each macro.
jponting said
As part of improving the security stance of Confluence, we've added restrictions to what contexts (and by extension variables) can be used by default, as access to this tooling can expose a lot of information that may not be apparent to admins at first glance.... Confluence Administrators will need to explicitly allow permission to the contexts...
We have some user macros that filled gaps in Confluence functionality and as part of deploying an upgrade to address CVE-2023-22518 the side effect is that's busted a bunch of those user macros. We're obviously not going to downgrade because of the critical CVE, so we'll somewhat blindly re-enable all the contexts as quickly as we can to get a working system again (recognising the A in the "CIA" pillars of security).
Ideally we'd want to work out what it is that is so potentially bad that someone in Atlassian felt security stance warranted this non-backwards compatible approach to rolling out the change, and validate that what we've enabled makes sense in the context of how/where/why we're using Confluence. And to do that it would help if there was some examples of the not apparent at first glance sort of content that might be unintentionally exposed.
I appreciate perhaps you don't want to disclose this in a public system (especially as the initial workaround when this initially shipped was to whack system variables in that re-enabled every context, effectively undoing the "secured by default" code changes), but would these sort of examples be something that could be shared via a support request?
Hi 1e2a5edf11c0 ,
Can you please raise a support ticket with necessary information, so that we can use to understand the root cause of your issue. Thanks