Osworkflow not working with jira 8.18.0

We have a plugin in jira using osworkflow to define our own custom workflow. Our plugin works within jira and when i try to initialize workflow, We are getting this error in jira.log.

Caesium-1-3 ERROR ServiceRunner
[c.a.jira.workflow.DefaultOSWorkflowConfigurator] Rejecting usage of unsafe workflow function/class: com.service.workflow.condition.PermissionCondition . You can enable usage of this class by adding com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled dark feature flag to Jira. Do it only if you are sure its known and secure case. It will make Jira vulnerablefor potential attacks.

and we are getting below exception

[INFO] [talledLocalContainer] com.opensymphony.workflow.WorkflowException: Could not load condition [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.passesCondition(AbstractWorkflow.java:1045) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.passesConditions(AbstractWorkflow.java:1083) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.passesConditions(AbstractWorkflow.java:1107) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.canInitialize(AbstractWorkflow.java:862) [INFO] [talledLocalContainer] at com.opensymphony.workflow.AbstractWorkflow.initialize(AbstractWorkflow.java:598)

our osworkflow.xml file looks like

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE workflow PUBLIC "-//OpenSymphony Group//DTD OSWorkflow 2.8//EN" "http://www.opensymphony.com/osworkflow/workflow_2_8.dtd">
<workflow>
    <initial-actions>
        <action id="1" name="Distribute">
            <meta name="addon.i18n.submit">com.form.distribute</meta>
            <meta name="addon.i18n.title">com.form.distribute</meta>
            <meta name="addon.description">com.form.distribute</meta>
            <meta name="addon.dist.status.id">1</meta>
            <meta name="addon.dist.user.status.id">1</meta>
            <restrict-to>
                <conditions>
                    <condition type="class">
                        <arg name="permission">HAS_DISTRIBUTION_PERMISSION</arg>
                        <arg name="class.name">com.service.workflow.condition.PermissionCondition</arg>
                    </condition>
                </conditions>
            </restrict-to>
            <results>
                <unconditional-result old-status="null" status="Open"
                    step="1">
                    <post-functions>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.DistributeForm</arg>
                        </function>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.AssignToReviewer</arg>
                        </function>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.SendFormActionMail</arg>
                            <arg name="mail.action">1</arg>
                        </function>
                    </post-functions>
                </unconditional-result>
            </results>
        </action>
    </initial-actions>
    <common-actions>
    <action id="21" name="Distribution Close">
            <meta name="addon.i18n.submit">com.form.distribution.user.close</meta>
            <meta name="addon.i18n.title">com.form.distribution.user.close</meta>
            <meta name="addon.description">com.form.response.close.confirmation.message</meta>
            <meta name="addon.user.action">false</meta>         
            <results>
                <unconditional-result old-status="Open" status="close" step="-1">
                    <post-functions>
                        <function type="class">
                            <arg name="class.name">com.service.workflow.function.form.DistributionUserClose</arg>
                            <arg name="status">3</arg>
                        </function>
                        
                    </post-functions>
                </unconditional-result>
            </results>
        </action>
    </common-actions>
    <steps>
        <step id="1" name="Open">
            <actions>
                <common-action id="21" />
                <common-action id="22" />
                <common-action id="5" />
                <common-action id="2" />                
            </actions>
        </step>
        <step id="3" name="Re-Opened">
            <actions>
                <common-action id="5" />
                <common-action id="2" />
                <common-action id="21" />
                <common-action id="22" />               
            </actions>
        </step>
    </steps>
</workflow>

More information related to issue

  1. We are using osworkflow-2.9.0-atlassian-1.jar
  2. It was working for all versions of jira prior to jira 8.18.0 and failing on 8.18.x. Is there any specific change related to this in jira 8.18.0 ?

Also when I add com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled dark feature flag to Jira. It works !! Is it possible to achieve this by making changes in code so customer don’t need to enable this dark feature?

@shiv, thank you for reaching out!

Recently, we have introduced a security enhancement that secures customers’ instances from remote code execution. You can find more details about the vulnerability in the public JAC ticket. - https://jira.atlassian.com/browse/JRASERVER-72660

In response to your latter question, we strongly recommend not changing the instance’s configuration on the customer’s behalf. Please keep in mind that turning on the flag reintroduces the security vulnerability and is exposing instances to remote code execution.

One of the solutions for your current situation could be implementing an UI change notifying the instance administrators about a given problem, its root cause, and steps that would have to be taken to make the plugin operational.

Please, don’t hesitate to reach out to us again in case of further questions.

Greetings,

Mateusz Marzęcki

Jira Server & Data Center

1 Like

Thanks @mmarzecki

This is a case of usages of osworkflow outside of Jira internal usages. Received reply from engg team. Suggested below 2 approaches which actually worked for us.

  1. export com.apps.service.workflow.condition.PermissionCondition as workflow module
  2. temporary override osworkflow type resolver:
TypeResolver originalResolver = TypeResolver.getResolver();
TypeResolver.setResolver(new TypeResolver());
// here invoke osworkflow 
TypeResolver.setResolver(originalResolver);`
1 Like