Page tree

 

Security fixes in preparation for Confluence Data Center support.

Today we released version 4.13 of the projectdoc Toolbox.

This is release provides new features and a couple of bug fixes. It solves a number of security issues in case the attacker has edit privileges on the Confluence server.

The projectdoc Toolbox is an add-on for Confluence supporting agile software development teams to collaborate on process, project, system, and product documentation. 

Release Notes Overview

New and Noteworthy

Security Issues

Originally the projectdoc Toolbox was designed for small teams of developers where the team had full access to the server. Therefore making use cases possible had been the main concern at first. So we were for instance allowing any protocol for a HTTP request to enable the team to access their ressource. This has changed since larger companies started to use the projectdoc Toolbox for the information architecture.

As a preparation step for data center support this release removes a couple of security related issues. The attacker needed to have write access privileges to pages to take advantage of these issues.

To not break existing API this version introduces strict HTML rendering as a feature required to actively turned on. In the next major version this feature is activated by default.

Strict HTML Encoding recommended

 

It is recommended to set the system property ${Identifier} to true.

Please check if you are using lax encoding with render templates, such as in the Select Parameter of the Display Table Macro.

The following issues fall into this category.

Key Summary T P Description
Loading...
Refresh

Reference Support for Query Parameters

Query parameters may specify complex templates to render property values. To store these templates in one location as a space property, the macro parameters 'select', 'where', and 'sort-by' (for instance of the Display Table Macro) now support referencing templates. The template of the Display Document Properties Macro also supports this reference.

Simply introduce the parameter value with the paragraph sign (§) and then add the name of the space property that defines the template.

Note that the template may be formatted with the Confluence editor. For instance to set a property in italics or add a line break.

See PDAC-1462 - Getting issue details... STATUS and PDAC-1466 - Getting issue details... STATUS for more information.

Detect Health Issues

The Name List Macro allows to specify arbitrary names. If the name is actually referencing a document, a link is rendered. This approach is different from using a display property macro where the referenced document is required to exist. The projectdoc Toolbox speaks of name macros as dynamic links and display property macros as dynamic links.

Dynamic links may loose the target document involuntarily. These issues are hard to detect. To help users to find and fix these issues this version of the projectdoc Toolbox adds the following improvements and features.

Key Summary T P Description
Loading...
Refresh

Space Property Rendering

We encountered HTML encoding issues with the rendering of space properties. 

Originally the space properties where intended to be plain text properties to be used as variables for matching only. This simple concept has been abandoned a long time ago. Today a space property may contain any HTML fragment. With PDAC-1469 - Getting issue details... STATUS we fix an issue where the rendered property may not have been HTML encoded.

Preparation for Data Center Support

We are working to get the data center compatibility approval of Atlassian for the projectdoc Toolbox.

We plan to provide the data center version by the end of 2021. In summer we will release version 5.0 of the projectdoc Toolbox that will require to update the database tables. This may come inconvenient since this will require to recalculate the document entries in these tables. For instance with a large number of projectdoc documents we recommend to check the upgrade in a test instance to estimate how long the table update will take.

To prepare your installation for this version we recommend to set system property de.smartics.projectdoc.security.strictHtmlEncoding to true. This will require to use the new template references for complex select templates where HTML code is required for rendering.

Please refer to PDAC-1478 - Getting issue details... STATUS and PDAC-1462 - Getting issue details... STATUS for more information.

Installation Instructions

Install the new OBR of the projectdoc Toolbox.

Upgrade Instructions

Please follow this short guide to update to this new version of the projectdoc Toolbox. For detailed information on dependencies, please consult the documentation of the add-ons.

Reindex

Due to the following issues a reindex is required to update properties.

Key Summary T P Description
Loading...
Refresh

In case you do not use any of these features, there is no need for a reindex.

Please refer to Troubleshooting Reindexer for projectdoc Documents for details on how to reindex projectdoc documents.

List of Changes

The following changes are part of the latest projectdoc Toolbox for Confluence

Key Summary T P Description
Loading...
Refresh

Resources

Release Notes for the projectdoc Toolbox
Information on all released versions of the projectdoc Toolbox for Confluence.
Glossary
Terms used in and defined for projectdoc.
FAQs
Questions and answers related to the projectdoc Toolbox and Confluence.