This page describes how to use the Freemarker Allowlist plugin module to allowlist a plugin class method for invocation from Freemarker templates.
From Bamboo 11.0, all method invocations in Freemarker templates are subject to a strict method allowlist. Any attempted method invocations which are not allowlisted will result in a log warning and the method invocation being blocked.
This capability exists to limit the scope of impact in the case of an SSTI (server-side template injection) vulnerability. Uncurtailed access to Java classes and methods from Freemarker templates enables attackers to escalate the vulnerability to more severe levels.
Products are configured with a global method allowlist which contains appropriate JDK and Atlassian class methods. Plugins may define their own allowlist using this module descriptor, which will supplement the global allowlist.
It is important that plugins avoid invoking application services or beans from templates, instead only exposing immutable DTOs (data transfer objects).
To assist plugins in migrating to the Freemarker Allowlist enabled product versions, Bamboo has implemented a system
property atlassian.freemarker.method.allowlist.debug, which, when set to true, will disable the allowlist enforcement
but continue to log errors for method invocations which are not allowlisted. Plugin developers can then use the log
output to inform their allowlist configuration.
The system property is not yet available for Bamboo EAP 11.0-rc4. In order to activate the debug mode:
Make a copy of freemarker-allowlist.properties from the /WEB-INF/lib/atlassian-bamboo-web-11.0.0.jar
Modify the freemarker.bamboo.allowlist.debug.mode property to devmode
Move the file to /WEB-INF/classes
Going forth, whenever a developer adds a new method call to a Freemarker template, a corresponding allowlist entry should be added to the plugin's Freemarker Allowlist module.
All argument-free public getters from Struts Action classes are automatically allowlisted for all plugins. Keep in mind
the method names are required to start with get or is, if they are to be automatic allowlisted. To use these getters
inside the templates, these prefixes need to be removed.
public String getName() can be used as ${name}.public boolean isAllowed() can be used as ${allowed}.private Boolean isCreationAllowed() won't be available because it's a private method.public String getRssLink(Project project) won't be automatically available because the method requires 1 argument.Ensure any data your Freemarker templates require are readily accessible from your Action classes. This will avoid the need to maintain an extensive allowlist.
The root element for the Freemarker Allowlist plugin module is freemarkerAllowlist. It does not accept a class attribute.
It accepts only method child elements.
When defining allowlisted methods, use the fully-qualified name of the concrete class (with $ separators for inner
classes), which declares the method, followed by a # and the method name, followed by the fully-qualified names of any
parameter types, delimited by commas, and surrounded by parenthesis.
Method allowlisting is based on the declaring class of a method. If you have classes that inherit a method from a parent class without overriding it, you should allowlist the method on the parent class.
If your module contains entries which do not correspond to a valid method declared on the specified class, an error will be logged and the allowlist module disabled entirely.
It is possible, as an alternative, to annotate methods with the freemarker.ext.beans.TemplateAccessible annotation. It
simplifies the process of allowing methods and doesn't require the method to be listed on the allowlist.
1 2<freemarkerAllowlist key="freemarkerAllowlist-agents"> <method>com.atlassian.bamboo.agents.Agent.getName()</method> <method>com.atlassian.bamboo.agents.Agent.getId()</method> <method>com.atlassian.bamboo.agents.AgentNotification.getEditHtml()</method> </freemarkerAllowlist>
Rate this page: