We have a plugin in Jira using osworkflow to define our own custom workflow. Atlassian recently(Jira v8.18.0) introduced a security enhancement that secures customer’s instances from remote code execution ([JRASERVER-72660] Remote code execution in workflow import - CVE-2017-18113 - Create and track feature requests for Atlassian products.). Due to this fix workflow-functions and conditions used in our apps custom workflows stopped working.
Jira logs showed a warning -
To disable the protection in Jira 8.18.1 and above administrators can enable the dark feature flag: com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled.
Asking our customers to enable the dark feature flag was not possible as it will reintroduce the security vulnerability for them.
So we contacted the Atlassian’s engineering team, they suggested the below 2 solutions -
- export com.amoeboids.apps.service.workflow.condition.PermissionCondition as workflow module
- temporary override osworkflow type resolver
TypeResolver originalResolver = TypeResolver.getResolver(); TypeResolver.setResolver(new TypeResolver()); // here invoke osworkflow TypeResolver.setResolver(originalResolver);
First solution was recommended over second and we exported the required conditions/functions from our app using Workflow modules.
Due to this change, our workflow functions started getting listed on Jira’s ‘Add Post Function To Transition’ screen.
Can we prevent this? as these functions are not intended for Jira’s internal workflows?
We have gone through https://developer.atlassian.com/server/jira/platform/workflow-modules/#function-configuration and do not see any solution here.