Security fixes in preparation for Confluence Data Center support.
Today we released version 4.13 of the projectdoc Toolbox.
This is release provides new features and a couple of bug fixes. It solves a number of security issues in case the attacker has edit privileges on the Confluence server.
The projectdoc Toolbox is an add-on for Confluence supporting agile software development teams to collaborate on process, project, system, and product documentation.
If you want to learn more about the projectdoc Toolbox and how it helps to create good project documentation, please refer to the introduction video!
The following image is a link to a video on YouTube. When you click the link your browser will serve a page from youtube.com.
Very interesting, but way too fast?
Step through at your own pace with with our Prezi Presentation (external link to prezi.com )!
In the Online Manual you’ll find additional video material that introduces you in the concepts of the projectdoc Toolbox.
Refer to use cases and show cases for information on how to use the projectdoc Toolbox.
New and Noteworthy
Security Issues
Originally the projectdoc Toolbox was designed for small teams of developers where the team had full access to the server. Therefore making use cases possible had been the main concern at first. So we were for instance allowing any protocol for a HTTP request to enable the team to access their ressource. This has changed since larger companies started to use the projectdoc Toolbox for the information architecture.
As a preparation step for data center support this release removes a couple of security related issues. The attacker needed to have write access privileges to pages to take advantage of these issues.
To not break existing API this version introduces strict HTML rendering as a feature required to actively turned on. In the next major version this feature is activated by default.
It is recommended to set the system property de.smartics.projectdoc.security.strictHtmlEncoding to true.
Please check if you are using lax encoding with render templates, such as in the Select Parameter of the Display Table Macro.
The following issues fall into this category.
| Key | Summary | T | P | Description |
|---|---|---|---|---|
| PDAC-1481 | Table Header Encodings |
|
|
The rendering of names provided as values for the select parameter are rendered as specified. They must be encoded. Other than for the template use case there is no use case for having HTML code in this case. Therefore the strict HTML encoding system property must not be applied here. |
| PDAC-1478 | Template Encoding |
|
|
Select Templates allow to add HTML tags to control the rendering. This is a security issue since users with write access may add unwanted tags. Use The strict rendering is off per default for version 4 of the projectdoc Toolbox. It will be the default for version 5. Use the system property de.smartics.projectdoc.security.strictHtmlEncoding set to true to demand strict encoding. |
| PDAC-1476 | Limit allowed Protocols for External Quote Macro |
|
|
The Quote External Macro should only allow links for author and source URI with the following protocols due to security consideration: "http", "https", "ftp", "ftps", "mailto", "nntp", "news", "irc" |
| PDAC-1475 | Limit allowed Protocols for External Link Macro |
|
|
The Link External Macro should only allow links with the following protocols due to security consideration: "http", "https", "ftp", "ftps", "mailto", "nntp", "news", "irc" |
| PDAC-1485 | Always Encode Space Attributes |
|
|
The Display Space Attribute Macro allows to render space information provided by Confluence. With version 4.13 the rendering depended on a system property, whether the value was encoded or not. With this version the value will always be encoded. This is because the value on the Confluence side is always considered as text. |
| PDAC-1489 | Encoding Issues with Change Log Macro |
|
|
The rendering of the macro does not fully encode all content. |
| PDAC-1487 | Tour Macro Fails to Encode CSS classes |
|
|
The CSS class parameter is rendered without encoding. |
| PDAC-1482 | Encoding Issue in Autocomplete |
|
|
Copying the Name List Macro's names to the autocomplete field fails to encode the attribute value. |
| PDAC-1479 | HTML Code in Short Descriptions |
|
|
The projectdoc Toolbox allows HTML code in short descriptions in page and space blueprints.
Note that encoding in short descriptions for page blueprints is covered by |
Reference Support for Query Parameters
Query parameters may specify complex templates to render property values. To store these templates in one location as a space property, the macro parameters 'select', 'where', and 'sort-by' (for instance of the Display Table Macro) now support referencing templates. The template of the Display Document Properties Macro also supports this reference.
Simply introduce the parameter value with the paragraph sign (§) and then add the name of the space property that defines the template.
Note that the template may be formatted with the Confluence editor. For instance to set a property in italics or add a line break.
See
Detect Health Issues
The Name List Macro allows to specify arbitrary names. If the name is actually referencing a document, a link is rendered. This approach is different from using a display property macro where the referenced document is required to exist. The projectdoc Toolbox speaks of name macros as dynamic links and display property macros as dynamic links.
Dynamic links may loose the target document involuntarily. These issues are hard to detect. To help users to find and fix these issues this version of the projectdoc Toolbox adds the following improvements and features.
| Key | Summary | T | P | Description |
|---|---|---|---|---|
| PDAC-1470 | Debug Mode for Tour-by-Property Macro |
|
|
In debug mode the Tour-by-Property should render a message in case the properties do not all point to a valid name. |
| PDAC-1473 | Debug Access Mode |
|
|
Add additional space property named "projectdoc.debug-mode.access" to control whether or not debugging should only happen to UI in case the user has actual write access to the page with issues. The default is to render debug information only when user has write access. |
| PDAC-1472 | Health Logging |
|
|
Provide a collection of loggers prefixed with 'de.smartics.projectdoc.healthCheck' to signal issues with health. |
| PDAC-1464 | Display of missing Index Entries |
|
|
The Index Entries Macros fails to properly render all missing entries in Debug Mode. |
Space Property Rendering
We encountered HTML encoding issues with the rendering of space properties.
Originally the space properties where intended to be plain text properties to be used as variables for matching only. This simple concept has been abandoned a long time ago. Today a space property may contain any HTML fragment. With
Preparation for Data Center Support
We are working to get the data center compatibility approval of Atlassian for the projectdoc Toolbox.
We plan to provide the data center version by the end of 2021. In summer we will release version 5.0 of the projectdoc Toolbox that will require to update the database tables. This may come inconvenient since this will require to recalculate the document entries in these tables. For instance with a large number of projectdoc documents we recommend to check the upgrade in a test instance to estimate how long the table update will take.
To prepare your installation for this version we recommend to set system property de.smartics.projectdoc.security.strictHtmlEncoding to true. This will require to use the new template references for complex select templates where HTML code is required for rendering.
Please refer to
Upgrade Instructions
Please follow this short guide to update to this new version of the projectdoc Toolbox. For detailed information on dependencies, please consult the documentation of the add-ons.
Reindex
Due to the following issues a reindex is required to update properties.
| Key | Summary | T | P | Description |
|---|---|---|---|---|
| PDAC-1474 | URL and Tiny URL Representation |
|
|
The artificial properties "URL" and "Tiny URL" are stored in HTML plain text, but should be stored in HTML. All documents need to be reindexed to get the new, corrected value. |
In case you do not use any of these features, there is no need for a reindex.
Please refer to Troubleshooting Reindexer for projectdoc Documents for details on how to reindex projectdoc documents.
List of Changes
The following changes are part of the latest projectdoc Toolbox for Confluence.
| Key | Summary | T | P | Description |
|---|---|---|---|---|
| PDAC-1481 | Table Header Encodings |
|
|
The rendering of names provided as values for the select parameter are rendered as specified. They must be encoded. Other than for the template use case there is no use case for having HTML code in this case. Therefore the strict HTML encoding system property must not be applied here. |
| PDAC-1478 | Template Encoding |
|
|
Select Templates allow to add HTML tags to control the rendering. This is a security issue since users with write access may add unwanted tags. Use The strict rendering is off per default for version 4 of the projectdoc Toolbox. It will be the default for version 5. Use the system property de.smartics.projectdoc.security.strictHtmlEncoding set to true to demand strict encoding. |
| PDAC-1476 | Limit allowed Protocols for External Quote Macro |
|
|
The Quote External Macro should only allow links for author and source URI with the following protocols due to security consideration: "http", "https", "ftp", "ftps", "mailto", "nntp", "news", "irc" |
| PDAC-1475 | Limit allowed Protocols for External Link Macro |
|
|
The Link External Macro should only allow links with the following protocols due to security consideration: "http", "https", "ftp", "ftps", "mailto", "nntp", "news", "irc" |
| PDAC-1470 | Debug Mode for Tour-by-Property Macro |
|
|
In debug mode the Tour-by-Property should render a message in case the properties do not all point to a valid name. |
| PDAC-1467 | Support Apply Space Properties for Cite Macro |
|
|
Provide a macro parameter to control whether or not space properties are applied when resolving the template placeholders. |
| PDAC-1465 | Support Apply Space Properties for Display Properties Macro |
|
|
Provide a macro parameter to control whether or not space properties are applied when resolving the template placeholders. |
| PDAC-1462 | Reference Support for Query Parameters |
|
|
Make it easier to reuse complex values for select, where, and sort-by parameters. Allow to reference values for the macro parameters select, where, and sort by the name of a space property. |
| PDAC-1485 | Always Encode Space Attributes |
|
|
The Display Space Attribute Macro allows to render space information provided by Confluence. With version 4.13 the rendering depended on a system property, whether the value was encoded or not. With this version the value will always be encoded. This is because the value on the Confluence side is always considered as text. |
| PDAC-1473 | Debug Access Mode |
|
|
Add additional space property named "projectdoc.debug-mode.access" to control whether or not debugging should only happen to UI in case the user has actual write access to the page with issues. The default is to render debug information only when user has write access. |
| PDAC-1472 | Health Logging |
|
|
Provide a collection of loggers prefixed with 'de.smartics.projectdoc.healthCheck' to signal issues with health. |
| PDAC-1466 | Support Space Templates for Display Properties Macro |
|
|
Allow to reference a space property with the paragraph sign in first position of the template parameter for the Display Document Properties Macro. |
| PDAC-1491 | Title Encoding with Page Blueprint |
|
|
The title of a page is HTML encoded where it should not. This issue is only encountered if strict encoding is enforced. |
| PDAC-1490 | Duplicate Indexing |
|
|
The Lucene indexer is registered as a service and as indexer. Unfortunately this implies that the indexer is called twice. |
| PDAC-1489 | Encoding Issues with Change Log Macro |
|
|
The rendering of the macro does not fully encode all content. |
| PDAC-1488 | Tour Macro Local URL |
|
|
The tour macro runs a simple prefix test with the baseURL of Confluence to check if the URL points to a resource of the local server. The prefix is not enough to check. |
| PDAC-1487 | Tour Macro Fails to Encode CSS classes |
|
|
The CSS class parameter is rendered without encoding. |
| PDAC-1486 | NPE on Preview of All Document Properties |
|
|
Only on the preview on a new document. The implemented workaround is to show no properties on the preview for a new document. |
| PDAC-1484 | Encoding Problems in Display All Space Properties |
|
|
The macro fails to properly encode property names. A property name should be plain text, but in case a user specifies some markup as text, the macro must encode it properly before rendering. |
| PDAC-1483 | Encoding Problems in Property Values |
|
|
The Title and URL properties are not correctly encoded. |
| PDAC-1482 | Encoding Issue in Autocomplete |
|
|
Copying the Name List Macro's names to the autocomplete field fails to encode the attribute value. |
| PDAC-1479 | HTML Code in Short Descriptions |
|
|
The projectdoc Toolbox allows HTML code in short descriptions in page and space blueprints.
Note that encoding in short descriptions for page blueprints is covered by |
| PDAC-1477 | Failure to Encode URL Fragments |
|
|
In URL construction the fragment part is not encoded with the fragment encoder or is encoded with the standard URL encoder. This has not yet a noticeable impact since browsers handle fragments that do not adhere to the standard gracefully. Nevertheless fragments should be handled correctly. |
| PDAC-1474 | URL and Tiny URL Representation |
|
|
The artificial properties "URL" and "Tiny URL" are stored in HTML plain text, but should be stored in HTML. All documents need to be reindexed to get the new, corrected value. |
| PDAC-1471 | Preserve Preview Mode for Pages |
|
|
When creating contexts for projectdoc documents the preview mode must be restored. |
| PDAC-1469 | Encode Issue with Space Properties |
|
|
The space properties are not correctly encoded before they are rendered. |
| PDAC-1468 | URL Rendering Issue with Display Properties Macro |
|
|
In case the Display Document Properties Macro renders an URL and a link should be added, then the link should use the URL and not point to the document. |
| PDAC-1464 | Display of missing Index Entries |
|
|
The Index Entries Macros fails to properly render all missing entries in Debug Mode. |