Last updated Jul 12, 2024

Configuring the Velocity method allowlist

This page describes how to use the Velocity Allowlist plugin module to allowlist a plugin class method for invocation from Velocity templates.

Introduction

From Confluence 9.0 and Jira 10.0, all method invocations in Velocity templates are subject to a strict method allowlist. Any attempted method invocations which are not allowlisted will result in a log warning and the method invocation being blocked.

This capability exists to limit the scope of impact in the case of an SSTI (server-side template injection) vulnerability. Uncurtailed access to Java classes and methods from Velocity templates enables attackers to escalate the vulnerability to more severe levels.

Products are configured with a global method allowlist which contains appropriate JDK and Atlassian class methods. Plugins may define their own allowlist using this module descriptor, which will supplement the global allowlist. Plugins can only define allowlist entries for their own classes.

It is important that plugins avoid invoking application services or beans from templates, instead only exposing immutable DTOs (data transfer objects).

Gathering necessary allowlist entries

To assist plugins in migrating to the Velocity Allowlist enabled product versions, Atlassian has implemented a system property atlassian.velocity.method.allowlist.debug, which, when set to true, will disable the allowlist enforcement but continue to log errors for method invocations which are not allowlisted. Plugin developers can then use the log output to inform their allowlist configuration.

Going forth, whenever a developer adds a new method call to a Velocity template, a corresponding allowlist entry should be added to the plugin's Velocity Allowlist module.

Auto-allowlisting

The following methods are automatically allowlisted for all plugins. This is in addition to the Atlassian-maintained global allowlist.

  • (Confluence Only) Struts Action class public getters

Ensure any data your Velocity templates require are readily accessible from your Action classes. This will avoid the need to maintain an extensive allowlist.

Note that template-context-item and velocity-context-item module item methods are not currently auto-allowlisted.

Configuration

The root element for the Velocity Allowlist plugin module is velocity-allowlist. It does not accept a class attribute. It accepts only method child elements.

When defining allowlisted methods, use the fully-qualified name of the concrete class (with $ separators for inner classes), which declares the method, followed by a # and the method name, followed by the fully-qualified names of any parameter types, delimited by spaces, and surrounded by brackets.

Method allowlisting is based on the declaring class of a method. If you have classes that inherit a method from a parent class without overriding it, you should allowlist the method on the parent class.

If your module contains entries which do not correspond to a valid method declared on the specified class, an error will be logged and the allowlist module disabled entirely.

Example

1
2
<velocity-allowlist key="velocity-allowlist-dynamictasklist2">
    <method>com.atlassian.confluence.extra.dynamictasklist2.NameRenderer#render(java.lang.String boolean)</method>
    <method>com.atlassian.confluence.extra.dynamictasklist2.model.Task#getAssignee()</method>
    <method>com.atlassian.confluence.extra.dynamictasklist2.model.Task$Priority#toString()</method>
    <method>com.atlassian.confluence.extra.dynamictasklist2.model.TaskList#getCompleteTasks()</method>
    <method>com.atlassian.confluence.extra.dynamictasklist2.model.TaskList#getName()</method>
</velocity-allowlist>

Rate this page: