Velocity/Action method allowlist problems

Hi everyone,

we have finally tackled the task of making our app compatible with confluence 9.x. However, we are really struggling with making this work for everything from the latest 7.x LTS up to the current version.

Specifically:

We have a bunch of velocity templates that used to call an action method that is not automatically allowlisted (it uses a parameter). From what I’ve seen, the velocity allowlist module is only provided for confluence 9. Which means I can’t build the whole stuff in a way that is still compatible with 7.x or even 8.x? Or can I?

We really do no want to create different versions of the plugin for 7.x/8.x vs. 9.x - - we could work around everything else so far, but not this.

Other approaches we have tried:

  • let the action return something that is auto-allowlisted and parse it in the template, using split. Doesn’t work because:
    – array index notation is only supported since velocity 1.7 and atlassian provides 1.6
    – get(index) doesn’t work because not even the methods from the core velocity framework are allowlisted??? Invocation blocked as method is not allowlisted: org.apache.velocity.util.ArrayListWrapper#get(int)

  • Rewrite everything in terms of a servlet request which is not subject to these restrictions: Yeah, sure…

Any ideas? I’m not exactly a pro in any of these technologies, but so far I didn’t have to…

Atlassian: If you read this and care, would it be too much to ask to alt least allowlist methods from org.apache.velocity, or at least query methods like get(int) which most certainly don’t have any security impact?

Jasmine

Nevermind, we got it working somehow… Would still be nice to know how to deal with the allowlist module, though