Osworkflow not working with jira 8.18.0

Jira Development Jira Data Center
, , ,
1

We have a plugin in jira using osworkflow to define our own custom workflow. Our plugin works within jira and when i try to initialize workflow, We are getting this error in jira.log.

Caesium-1-3 ERROR ServiceRunner
[c.a.jira.workflow.DefaultOSWorkflowConfigurator] Rejecting usage of unsafe workflow function/class: com.service.workflow.condition.PermissionCondition . You can enable usage of this class by adding com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled dark feature flag to Jira. Do it only if you are sure its known and secure case. It will make Jira vulnerablefor potential attacks.

and we are getting below exception

[INFO] [talledLocalContainer] com.opensymphony.workflow.WorkflowException: Could not load condition [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.passesCondition(AbstractWorkflow.java:1045) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.passesConditions(AbstractWorkflow.java:1083) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.passesConditions(AbstractWorkflow.java:1107) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.canInitialize(AbstractWorkflow.java:862) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.initialize(AbstractWorkflow.java:598)

our osworkflow.xml file looks like

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE workflow PUBLIC "-//OpenSymphony Group//DTD OSWorkflow 2.8//EN" "http://www.opensymphony.com/osworkflow/workflow_2_8.dtd">
<workflow>
    <initial-actions>
        <action id="1" name="Distribute">
            <meta name="addon.i18n.submit">com.form.distribute</meta>
            <meta name="addon.i18n.title">com.form.distribute</meta>
            <meta name="addon.description">com.form.distribute</meta>
            <meta name="addon.dist.status.id">1</meta>
            <meta name="addon.dist.user.status.id">1</meta>
            <restrict-to>
                <conditions>
                    <condition type="class">
                        <arg name="permission">HAS_DISTRIBUTION_PERMISSION</arg>
                        <arg name="class.name">com.service.workflow.condition.PermissionCondition</arg>
                    </condition>
                </conditions>
            </restrict-to>
            <results>
                <unconditional-result old-status="null" status="Open"
                    step="1">
                    <post-functions>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.DistributeForm</arg>
                        </function>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.AssignToReviewer</arg>
                        </function>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.SendFormActionMail</arg>
                            <arg name="mail.action">1</arg>
                        </function>
                    </post-functions>
                </unconditional-result>
            </results>
        </action>
    </initial-actions>
    <common-actions>
    <action id="21" name="Distribution Close">
            <meta name="addon.i18n.submit">com.form.distribution.user.close</meta>
            <meta name="addon.i18n.title">com.form.distribution.user.close</meta>
            <meta name="addon.description">com.form.response.close.confirmation.message</meta>
            <meta name="addon.user.action">false</meta>         
            <results>
                <unconditional-result old-status="Open" status="close" step="-1">
                    <post-functions>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.DistributionUserClose</arg>
                            <arg name="status">3</arg>
                        </function>
                        
                    </post-functions>
                </unconditional-result>
            </results>
        </action>
    </common-actions>
    <steps>
        <step id="1" name="Open">
            <actions>
                <common-action id="21" />
                <common-action id="22" />
                <common-action id="5" />
                <common-action id="2" />                
            </actions>
        </step>
        <step id="3" name="Re-Opened">
            <actions>
                <common-action id="5" />
                <common-action id="2" />
                <common-action id="21" />
                <common-action id="22" />               
            </actions>
        </step>
    </steps>
</workflow>
2

More information related to issue

  1. We are using osworkflow-2.9.0-atlassian-1.jar
  2. It was working for all versions of jira prior to jira 8.18.0 and failing on 8.18.x. Is there any specific change related to this in jira 8.18.0 ?

Also when I add com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled dark feature flag to Jira. It works !! Is it possible to achieve this by making changes in code so customer don’t need to enable this dark feature?

3

@shiv, thank you for reaching out!

Recently, we have introduced a security enhancement that secures customers’ instances from remote code execution. You can find more details about the vulnerability in the public JAC ticket. - [JRASERVER-72660] Remote code execution in workflow import - CVE-2017-18113 - Create and track feature requests for Atlassian products.

In response to your latter question, we strongly recommend not changing the instance’s configuration on the customer’s behalf. Please keep in mind that turning on the flag reintroduces the security vulnerability and is exposing instances to remote code execution.

One of the solutions for your current situation could be implementing an UI change notifying the instance administrators about a given problem, its root cause, and steps that would have to be taken to make the plugin operational.

Please, don’t hesitate to reach out to us again in case of further questions.

Greetings,

Mateusz Marzęcki

Jira Server & Data Center

1 Like
4

Thanks @mmarzecki

This is a case of usages of osworkflow outside of Jira internal usages. Received reply from engg team. Suggested below 2 approaches which actually worked for us.

  1. export com.apps.service.workflow.condition.PermissionCondition as workflow module
  2. temporary override osworkflow type resolver:
TypeResolver originalResolver = TypeResolver.getResolver();
TypeResolver.setResolver(new TypeResolver());
// here invoke osworkflow 
TypeResolver.setResolver(originalResolver);`
1 Like
5

Hi @mmarzecki ,
we are again getting the following error when we try to use osworkflow on Jira 9.17.0

2024-07-02 11:52:32,266+0000 http-nio-8080-exec-7 ERROR admin 712x106889x1 stntdz 112.133.217.119,127.0.0.1 /rest/upraisesuccess/latest/distributions/757/addUser [c.a.jira.workflow.DefaultOSWorkflowConfigurator] Rejecting usage of unsafe workflow function/class: `com.amoeboids.apps.service.workflow.condition.PermissionCondition`. You can enable usage of this class by adding `com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled` dark feature flag to Jira. Do it only if you are sure its known and secure case. It will make Jira vulnerablefor potential attacks.
2024-07-02 11:52:32,272+0000 http-nio-8080-exec-7 ERROR admin 712x106889x1 stntdz 112.133.217.119,127.0.0.1 /rest/upraisesuccess/latest/distributions/757/addUser [c.a.a.service.impl.DistributionServiceImpl] error
com.opensymphony.workflow.WorkflowException: Could not load condition
        at com.opensymphony.workflow.AbstractWorkflow.passesCondition(AbstractWorkflow.java:1045)
        at com.opensymphony.workflow.AbstractWorkflow.passesConditions(AbstractWorkflow.java:1083)
        at com.opensymphony.workflow.AbstractWorkflow.passesConditions(AbstractWorkflow.java:1107)
        at com.opensymphony.workflow.AbstractWorkflow.canInitialize(AbstractWorkflow.java:862)
        at com.opensymphony.workflow.AbstractWorkflow.initialize(AbstractWorkflow.java:598)
        at com.amoeboids.apps.service.impl.DistributionServiceImpl.createWorkflowEntries(DistributionServiceImpl.java:455)
        at com.amoeboids.apps.service.impl.DistributionServiceImpl.addDistributionUser(DistributionServiceImpl.java:1092)
        at com.amoeboids.apps.rest.v1.distribution.DistributionResource.addDistributionUser(DistributionResource.java:656)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        ... 19 filtered
        at com.atlassian.plugins.rest.module.RestDelegatingServletFilter$JerseyOsgiServletContainer.doFilter(RestDelegatingServletFilter.java:171)
        ... 1 filtered
        at com.atlassian.plugins.rest.module.RestDelegatingServletFilter.doFilter(RestDelegatingServletFilter.java:75)
        ... 32 filtered
        at com.atlassian.servicedesk.internal.web.ExternalCustomerLockoutFilter.doFilter(ExternalCustomerLockoutFilter.java:55)
        ... 8 filtered
        at com.atlassian.jira.plugin.mobile.web.filter.MobileAppRequestFilter.doFilter(MobileAppRequestFilter.java:59)
        ... 4 filtered
        at com.atlassian.jira.plugin.mobile.login.MobileLoginSuccessFilter.doFilter(MobileLoginSuccessFilter.java:54)
        ... 3 filtered
        at com.atlassian.diagnostics.internal.platform.monitor.http.HttpRequestMonitoringFilter.doFilter(HttpRequestMonitoringFilter.java:54)
        ... 8 filtered
        at com.miniorange.rest.auth.filter.MoUserRestrictionFilter.doFilter(MoUserRestrictionFilter.java:57)
        ... 3 filtered
        at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
        ... 43 filtered
        at com.atlassian.oauth2.scopes.web.ReadWriteScopeFilter.doFilter(ReadWriteScopeFilter.java:46)
        ... 3 filtered
        at com.atlassian.plugins.slack.analytics.SlackAnalyticsFilter.doFilter(SlackAnalyticsFilter.java:35)
        ... 3 filtered
        at com.atlassian.ratelimiting.internal.filter.RateLimitFilter.doFilter(RateLimitFilter.java:73)
        ... 3 filtered
        at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
        ... 17 filtered
        at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66)
        ... 1 filtered
        at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64)
        ... 16 filtered
        at com.atlassian.plugins.rest.module.servlet.RestSeraphFilter.doFilter(RestSeraphFilter.java:38)
        ... 3 filtered
        at com.atlassian.pats.web.filter.TokenBasedAuthenticationFilter.doFilter(TokenBasedAuthenticationFilter.java:82)
        ... 3 filtered
        at com.atlassian.oauth2.provider.core.web.AccessTokenFilter.doFilter(AccessTokenFilter.java:81)
        ... 19 filtered
        at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
        ... 5 filtered
        at com.atlassian.plugins.authentication.impl.basicauth.filter.DisableBasicAuthFilter.doFilter(DisableBasicAuthFilter.java:70)
        ... 3 filtered
        at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.lambda$invokeFilterChain$0(CustomerContextSettingFilter.java:220)
        at com.atlassian.servicedesk.internal.api.util.context.ReentrantThreadLocalBasedCodeContext.rteInvoke(ReentrantThreadLocalBasedCodeContext.java:136)
        at com.atlassian.servicedesk.internal.api.util.context.ReentrantThreadLocalBasedCodeContext.runOutOfContext(ReentrantThreadLocalBasedCodeContext.java:89)
        at com.atlassian.servicedesk.internal.utils.context.CustomerContextServiceImpl.runOutOfCustomerContext(CustomerContextServiceImpl.java:47)
        at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.outOfCustomerContext(CustomerContextSettingFilter.java:211)
        at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.doFilterImpl(CustomerContextSettingFilter.java:139)
        at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.doFilter(CustomerContextSettingFilter.java:128)
        ... 4 filtered
        at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:37)
        ... 8 filtered
        at com.miniorange.rest.auth.filter.MoRestAPIFilter.doFilter(MoRestAPIFilter.java:97)
        ... 3 filtered
        at com.atlassian.ratelimiting.internal.filter.RateLimitPreAuthFilter.doFilter(RateLimitPreAuthFilter.java:71)
        ... 3 filtered
        at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
        ... 4 filtered
        at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
        ... 3 filtered
        at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
        ... 26 filtered
        at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
        ... 25 filtered
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Unknown Source)

Earlier also we were getting the same error when we tried to use osworkflow on Jira 8.18.0. At that time we fixed this issue by adding the workflow classes in our atlassian-plugin.xml file. It fixed the issue at that time for us.
But now we are gain getting the same error for Jira 9.17.0.

Last time we did the following change in our atlassian-plugin.xml

	<workflow-condition key="upraise-permission-condition-${addon.key}" name="PermissionCondition"><condition-class>com.amoeboids.apps.service.workflow.condition.PermissionCondition</condition-class></workflow-condition>
	<workflow-condition key="upraise-import-objectives-condition-${addon.key}" name="ImportObjectivesCondition"><condition-class>com.amoeboids.apps.service.workflow.condition.ImportObjectivesCondition</condition-class></workflow-condition>
	<workflow-condition key="upraise-applicable-section-condition-${addon.key}" name="ApplicableSectionCondition"><condition-class>com.amoeboids.apps.service.workflow.condition.ApplicableSectionCondition</condition-class></workflow-condition>
	<workflow-condition key="upraise-skip-objectives-condition-${addon.key}" name="SkipObjectivesCondition"><condition-class>com.amoeboids.apps.service.workflow.condition.SkipObjectivesCondition</condition-class></workflow-condition>
	
	<workflow-function key="upraise-distribute-form-${addon.key}" name="DistributeForm"><function-class>com.amoeboids.apps.service.workflow.function.form.DistributeForm</function-class></workflow-function>
	<workflow-function key="upraise-assign-to-reviewer-${addon.key}" name="AssignToReviewer"><function-class>com.amoeboids.apps.service.workflow.function.form.AssignToReviewer</function-class></workflow-function>
	<workflow-function key="upraise-update-distribution-user-status-${addon.key}" name="UpdateDistributionUserStatus"><function-class>com.amoeboids.apps.service.workflow.function.form.UpdateDistributionUserStatus</function-class></workflow-function>
	<workflow-function key="upraise-send-form-action-mail-${addon.key}" name="SendFormActionMail"><function-class>com.amoeboids.apps.service.workflow.function.form.SendFormActionMail</function-class></workflow-function>
	<workflow-function key="upraise-assign-to-about-${addon.key}" name="AssignToAbout"><function-class>com.amoeboids.apps.service.workflow.function.form.AssignToAbout</function-class></workflow-function>
	<workflow-function key="upraise-distribution-user-close-${addon.key}" name="DistributionUserClose"><function-class>com.amoeboids.apps.service.workflow.function.form.DistributionUserClose</function-class></workflow-function>
	<workflow-function key="upraise-distribution-user-open-${addon.key}" name="DistributionUserOpen"><function-class>com.amoeboids.apps.service.workflow.function.form.DistributionUserOpen</function-class></workflow-function>
	<workflow-function key="upraise-save-response-draft-${addon.key}" name="SaveResponseDraft"><function-class>com.amoeboids.apps.service.workflow.function.form.SaveResponseDraft</function-class></workflow-function>
	<workflow-function key="upraise-update-about-user-status-${addon.key}" name="UpdateAboutUserStatus"><function-class>com.amoeboids.apps.service.workflow.function.form.UpdateAboutUserStatus</function-class></workflow-function>
	<workflow-function key="upraise-sharewith-reviewer-${addon.key}" name="ShareWithReviewer"><function-class>com.amoeboids.apps.service.workflow.function.form.ShareWithReviewer</function-class></workflow-function>
	<workflow-function key="upraise-sharewith-hruser-${addon.key}" name="ShareWithHrUser"><function-class>com.amoeboids.apps.service.workflow.function.form.ShareWithHrUser</function-class></workflow-function>
	<workflow-function key="upraise-update-reviewer-status-${addon.key}" name="UpdateReviewerStatus"><function-class>com.amoeboids.apps.service.workflow.function.form.UpdateReviewerStatus</function-class></workflow-function>
	<workflow-function key="upraise-sharewith-abouttouser-${addon.key}" name="ShareWithAboutToUser"><function-class>com.amoeboids.apps.service.workflow.function.form.ShareWithAboutToUser</function-class></workflow-function>
	<workflow-function key="upraise-remove-response-sharing-${addon.key}" name="RemoveResponseSharing"><function-class>com.amoeboids.apps.service.workflow.function.form.RemoveResponseSharing</function-class></workflow-function>
	<workflow-function key="upraise-update-response-todraft-${addon.key}" name="UpdateResponseToDraft"><function-class>com.amoeboids.apps.service.workflow.function.form.UpdateResponseToDraft</function-class></workflow-function>
	<workflow-function key="upraise-sharewith-users-${addon.key}" name="ShareWithUsers"><function-class>com.amoeboids.apps.service.workflow.function.form.ShareWithUsers</function-class></workflow-function>
	<workflow-function key="upraise-assignto-hruser-${addon.key}" name="AssignToHrUser"><function-class>com.amoeboids.apps.service.workflow.function.form.AssignToHrUser</function-class></workflow-function>
	<workflow-function key="upraise-assignto-reviewer-manager-${addon.key}" name="AssignToReviewerManager"><function-class>com.amoeboids.apps.service.workflow.function.form.AssignToReviewerManager</function-class></workflow-function>
	<workflow-function key="upraise-assignto-review-creator-${addon.key}" name="AssignToReviewCreator"><function-class>com.amoeboids.apps.service.workflow.function.form.AssignToReviewCreator</function-class></workflow-function>
	<workflow-function key="upraise-sharewith-hrrole-${addon.key}" name="ShareWithHRRole"><function-class>com.amoeboids.apps.service.workflow.function.form.ShareWithHRRole</function-class></workflow-function>
	<workflow-function key="upraise-sharewith-configured-users-${addon.key}" name="ShareWithConfiguredUsers"><function-class>com.amoeboids.apps.service.workflow.function.form.ShareWithConfiguredUsers</function-class></workflow-function>
	<workflow-function key="upraise-sharewith-user-${addon.key}" name="ShareWithUser"><function-class>com.amoeboids.apps.service.workflow.function.form.ShareWithUser</function-class></workflow-function>
	<workflow-function key="upraise-remove-from-draft-${addon.key}" name="RemoveFromDraft"><function-class>com.amoeboids.apps.service.workflow.function.form.RemoveFromDraft</function-class></workflow-function>
	<workflow-function key="upraise-update-form-status-${addon.key}" name="UpdateFormStatus"><function-class>com.amoeboids.apps.service.workflow.function.form.UpdateFormStatus</function-class></workflow-function>
	<workflow-function key="upraise-update-distribution-status-${addon.key}" name="UpdateDistributionStatus"><function-class>com.amoeboids.apps.service.workflow.function.form.UpdateDistributionStatus</function-class></workflow-function>
	
	<workflow-validator key="upraise-form-validator-${addon.key}" name="FormValidator"><validator-class>com.amoeboids.apps.service.workflow.validator.FormValidator</validator-class></workflow-validator>
	<workflow-validator key="upraise-editable-section-validator-${addon.key}" name="EditableSectionValidator"><validator-class>com.amoeboids.apps.service.workflow.validator.EditableSectionValidator</validator-class></workflow-validator>

What can be done to fix this?