Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-97796

Variables in user macro are not resolved

XMLWordPrintable

      Problem

      Inserting a User Macro with variables in a Confluence page results in the variables to be displayed as is without substituting their computed values.

      Environment

      Confluence v9.0.x

      Steps to Reproduce

      1. Login as admin
      2. Define a new User Macro with the following template code: 
        ## @noparams
#set($userDetailsManager = $containerContext.getComponent('userDetailsManager'))

#set( $user = $action.remoteUser)
<h1>
Hello $req.userPrincipal.name</h1>
<br />
Hello $action.remoteUser.name
<br />
Hello $user.name

<pre>
$action.authenticatedUser.name
$action.authenticatedUser.fullName
$action.authenticatedUser.key
$action.dateFormatter.formatGivenString("yyyy-MM-dd", $content.getCreationDate())

</pre>
      3. Set Macro Body Processing to Rendered
      4. Create a new page and add the macro created above.
      5. Save the page

      Expected Results

      Variables in the macro are resolved and the page shows/renders variable values.

      Actual Results

      Macro displays literal variable names instead of resolved / rendered values.
      Factoring in the following system property does not help

      -Dmacro.required.velocity.context.keys=comma,seperated,key,values

      Workaround

      Currently there is no known workaround for this behavior.

        1. CONFSERVER-97796.png
          606 kB
          Mohit Sharma

            [CONFSERVER-97796] Variables in user macro are not resolved

            Jordan Anslow added a comment -

            A fix for this issue is available in Confluence Server and Data Center 9.0.3.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jordan Anslow added a comment - A fix for this issue is available in Confluence Server and Data Center 9.0.3. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Kusal Kithul-Godage added a comment - - edited
            Update

            There are actually multiple issues with the User Macro template defined in this report.

            Firstly, $action resolves to the com.atlassian.confluence.core.ConfluenceActionSupport class. This class no longer has methods named getRemoteUser and getAuthenticatedUser in Confluence 9.0. Instead, to access the current user, please use the $authenticatedUser variable instead. To obtain access to this variable, you must first append it to the system property value for macro.required.velocity.context.keys.

            Even once a variable has been granted access using the aforementioned system property, Confluence 9.0 introduces a new security feature known as the Velocity method allowlist, which also requires that all method invocations within a Velocity template (including User Macros), be explicitly permitted. Atlassian has already generated and permitted a list of the most common and known to be safe methods; however, you may still need to manually allowlist some methods in your User Macros. You should do this based on the log warning output generated when previewing your User Macro.

            This list of collected methods can then be allowlisted by a system administrator using the atlassian.velocity.method.allowlist.extra system property, introduced in Confluence 9.0.3. We understand that this will cause some friction in setting up User Macros; however, we have deemed it necessary to ensure the highest security.

            Please refer to the 'Method allowlist' section of the Writing User Macros guide for further details.

            Kusal Kithul-Godage added a comment - - edited Update There are actually multiple issues with the User Macro template defined in this report. Firstly, $action resolves to the com.atlassian.confluence.core.ConfluenceActionSupport class. This class no longer has methods named getRemoteUser and getAuthenticatedUser in Confluence 9.0. Instead, to access the current user, please use the $authenticatedUser variable instead. To obtain access to this variable, you must first append it to the system property value for macro.required.velocity.context.keys. Even once a variable has been granted access using the aforementioned system property, Confluence 9.0 introduces a new security feature known as the Velocity method allowlist, which also requires that all method invocations within a Velocity template (including User Macros), be explicitly permitted. Atlassian has already generated and permitted a list of the most common and known to be safe methods; however, you may still need to manually allowlist some methods in your User Macros. You should do this based on the log warning output generated when previewing your User Macro. This list of collected methods can then be allowlisted by a system administrator using the atlassian.velocity.method.allowlist.extra system property, introduced in Confluence 9.0.3. We understand that this will cause some friction in setting up User Macros; however, we have deemed it necessary to ensure the highest security. Please refer to the 'Method allowlist' section of the Writing User Macros guide for further details.

              854eef6f5746 Kusal Kithul-Godage
              5c3a8aca27ce Mohit Sharma
              Affected customers:
              0 This affects my team
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: