After Update to Jira 10.3.18 and 10.3.19 log are flooded with [velocity] DEBUG MODE entries.

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Medium
    • None
    • Affects Version/s: 10.3.18, 10.3.19
    • Component/s: Issue - Others
    • None
    • 10.03
    • 1
    • Severity 2 - Major
    • 1

      Issue Summary

      Jira 10.3.18 and 10.3.19 Velocity log flooding for native Jira core methods. The previous fixes were done with respect to the mentioned methods only. I have attached the list of some of the affected methods. allowlistmethods.txt

      Steps to Reproduce

      1. Perform standard operations that trigger Velocity template rendering (e.g., viewing issues, sending emails, creating custom fields, or using bundled apps like Jira Software/Greenhopper).
      2. Observe the atlassian-jira.log.

      Expected Results

      Native Jira core methods (e.g., com.atlassian.jira.user.DelegatingApplicationUser#getName()) should be pre-allowlisted by default and should not trigger "Method needs allowlisting" warnings in the logs.

      Actual Results

      The logs are flooded with DEBUG MODE warnings for native Atlassian methods. Analysis of customer logs identified 248 unique native methods (including com.atlassian.jira.{}{}com.atlassian.greenhopper., and java.util.*) that are missing from the internal allowlist.

      Additionally, some methods already present in velocity-default.properties (e.g., com.atlassian.jira.security.JiraAuthenticationContextImpl#getI18nHelper()) continue to trigger these warnings, suggesting a potential defect in how the allowlist is applied during the "Strict Monitoring" phase.

      The following entries are observed in the atlassian-jira.log file:

      [velocity] DEBUG MODE: Method needs allowlisting: com.atlassian.jira.user.DelegatingApplicationUser#getName() 
[velocity] DEBUG MODE: Method needs allowlisting: com.atlassian.jira.util.JiraUrlCodec#encode(java.lang.String)
[velocity] DEBUG MODE: Method needs allowlisting: com.atlassian.greenhopper.web.rapid.issue.fields.LazyLoadedOption#toString()  

      Workaround

      Manual Allowlisting (May be inconsistent)

      1. Edit $JIRA_INSTALL/atlassian-jira/WEB-INF/classes/velocity-default.properties.
      2. Locate the property introspector.proper.allowlist.methods.
      3. Append the missing method(s) to the list, ensuring each entry (except the last) ends with a comma and a backslash (,).
        Example: com.atlassian.jira.issue.fields.ImmutableCustomField#getDescription(),
      4. Restart Jira.

      Turn off velocity allowlist (safe only for Jira 10.x)
      1. Edit $JIRA_INSTALL/atlassian-jira/WEB-INF/classes/velocity-default.properties.

      2. Set introspector.proper.allowlist.enable = true
      3. Restart Jira

        1. allowlistmethods.txt
          17 kB

              Assignee:
              Karol Skwierawski
              Reporter:
              Nikit Kohli
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: