5.x Release Notes
Check out what’s new for ScriptRunner for BitBucket Server.
SRPLAT-999 - Script Editor - deprecations of inner classes are now correctly shown.
SRBITB-412 - There was a static type checking error when using projectKey in JQL query template.
SRPLAT-931 - The code editor did not show method deprecation warnings for SAL.
SRBITB-682 - Deprecation hints were enabled in Script Editor for Bitbucket 7.
SRBITB-678 - Deprecation hints were enabled in Script Editor for Bitbucket 6.
SRPLAT-912 - Script Editor has been fixed.
SRPLAT-908 - A bug that prevented editing of previously configured script files has been fixed.
IntelliJ IDEA Plugin Deprecation
We are officially deprecating the IntelliJ IDEA plugin, also known as the Adaptavist Power Editor. ScriptRunner 5.6.13 contains the last bugfix we will ship for this feature, and 0.7.20 is the last release we will make on the JetBrains marketplace. Future support requests for this feature will be referred to this deprecation notice.
As can be seen from the review history on our JetBrains marketplace listing, we haven’t been consistently keeping up with JetBrains’s quarterly release schedule, due to prioritisation constraints.
Reasons for the Change
Two key concerns motivated our decision to deprecate: the opportunity cost of developing the Adaptavist Power Editor and its overlap with other ScriptRunner features.
The IntelliJ IDEA platform is a rich, fast-moving one. Just about every release requires refactoring some part of our plugin’s codebase. As users of IntelliJ IDEA, we love this rapid development. However, it is a challenge to keep up with developing a secondary plugin that is not our core product, while also keeping an eye on the Atlassian release cycle. While IntelliJ IDEA was an interesting platform to expand into, it required more focus than we were able to give it.
Further, we are continuing to maintain and develop two other features which meet most of the needs met by the IntelliJ Plugin.
These are the Code Editor and
scriptrunner-samples repository for local development.
The Code Editor provides smart completions, parameter hints, and javadoc lookup. While that’s nowhere near the feature set provided by IntelliJ IDEA, it does provide a rich development experience, one which we’d like to develop further. Most importantly, the Code Editor is up and running by default with no setup.
For users who want a deeper development experience and don’t mind some setup, developing a Script Plugin affords a fully featured IDE, git integration, the ability to save script configuration as code, and other developer tools.
With the addition of the Code Editor (with built-in autocompletion), and the new Script Editor (allowing users to save files in script roots), the Adaptavist Power Editor had a very niche user base with a very high maintenance burden. Although we had reservations about deprecating the IntelliJ IDEA integration due to feature loss in the short term, increased investment in the core ScriptRunner product is our priority.
Continuing to let the Adaptavist Power Editor lag with late compatibility updates wasn’t fair to our users, and we are committed to delivering more new features and improvements to the ScriptRunner product itself.
Ultimately, creating a plugin for IntelliJ IDEA was a valuable experiment. It taught us important lessons about providing a rich code editor that we still want to incorporate into the core Code Editor. We would love to hear from you which aspects you found most valuable. Please contact us through our support portal if there are features you would like to request for the Code Editor.
ScriptRunner Remote Events Code Execution Vulnerability
An HTTP POST made to
/rest/scriptrunner/latest/remote-events with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.
This security vulnerability has been fixed in ScriptRunner 5.6.12; it is recommended all customers upgrade to 5.6.12+ where possible.
If no firewall is enabled, users must update ScriptRunner to include this security patch.
If you are unable to upgrade immediately, blocking HTTP requests beginning with
<base_url>rest/scriptrunner/*/remote-events mitigates the vulnerability.
|To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.|
Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the Scriptrunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.
|Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties. To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.|
Apache HTTPD Reverse Proxy
Apache 2.4 Syntax
Add the following into the
.conf file containing the virtualhost that proxies to the Atlassian application.
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Require all denied </LocationMatch> Example: <VirtualHost *:80> ServerName jira.example.com
ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Require all denied </LocationMatch> </VirtualHost>
Apache 2.2 Syntax
Add the following into the
.conf file containing the virtualhost that proxies to the Atlassian application:
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Order Allow,Deny Deny from all </LocationMatch> Example <VirtualHost *:80> ServerName jira.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira <LocationMatch "/rest/scriptrunner/.*/remote-events/"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost>
Redirect requests to
/rest/scriptrunner/.*/remote-events/.* to a safe URL.
Add the following to the
<rule> <from>/rest/scriptrunner/.*/remote-events/.*</from> <to type="temporary-redirect">/</to> </rule>
Restart the Atlassian application.
Built In Script For Viewing And Deleting Orphaned Personal Repositories
This release includes a new built-in administrative script, which allows you to view and delete orphaned personal repositories. An orphaned repository is a personal repository which no longer has an owner, either because the owner has been deleted or become inactive.
Bitbucket has no built in support for viewing orphaned repositories: BSERV-7265.
This new built-in script provides a list of orphaned repositories and optionally allows the administrator to delete all orphaned repositories.
See our Administrative Scripts documentation for more information.
SRPLAT-670 - An exception was generated when adding or removing an event in the Events field on the Custom Event Listener screen.
SRBITB-603 - While on Bitbucket 6, the check icons did not render while using configured mirrors script.
SRBITB-584 - Old branch and tag naming standards hooks did not respond to UI-based triggers.
SRPLAT-774 - There was a
MissingPropertyExceptionin subclasses of
AbstractBaseRestEndpointwhen accessing the log field.
SRPLAT-773 - YAML files were not auto-deploying saved script configurations in custom plugin jars.
MaxFilesizeHookchecked the LFS pointer files instead of the size of LFS pointers.
SRBITB-470 - The user interface (UI) was updated to remove misleading custom event handler and hook user instructions.
SRBITB-397 - A new canned script was added that can enable the Delete Source Branch checkbox to be checked by default on pull request (PR) merges.
SRPLAT-715 - The use of class autocompletion with an as cast operation was fixed.
SRPLAT-712 - An exception thrown by getting docs on a variable no longer occurs.
SRPLAT-709 - The fragment finder context variables overlay was added.
SRPLAT-703 - The missing Idea Integration icon was added back to code editors.
SRBITB-551 - The Auto Add Reviewers REST endpoint checks to see if the handler is disabled. If it is disabled, it does not fill in the Reviewers field in a PR creation UI.
SRBITB-541 - Support was added for proxy authentication for Github and Bitbucket mirroring.
SRBITB-539 - The Protect Git Refs canned script now responds to UI triggers.
SRBITB-398 - Email comparison in the trusted authors hook is now case-insensitive.
SRBITB-178 - ScriptRunner for BitBucket captures a full response if HTML is returned in mirroring. Previously, only JSON was captured.
- [SRBITB-555] - Hooks get applied to requests they can't handle
Critical Security Update
This release fixes a security vulnerability that has been discovered in ScriptRunner for Bitbucket. The vulnerability affects version 3.0.17 - 5.6.1 (inclusive) of ScriptRunner for Bitbucket.
The vulnerability is classified as critical in line with Atlassian’s Security Levels.
ScriptRunner for Bitbucket Server and Data Center prior to version 5.6.3 allowed logged in users to create and execute scripts without the correct privileges being applied by sending a specially crafted request. This could mean that a user can escalate their privileges and execute arbitrary code.
Introducing Data Center Migration Support for ScriptRunner
From release 5.6.3, ScriptRunner for Bitbucket now includes support for Altassian’s Data Center Migration Tool.
Please see the Data Center Migration Support documentation for more details on which ScriptRunner objects are exported by the tool and how they are applied to the import instance.
Other New Features
- [SRPLAT-96] - Custom event listeners should be able to listen to events provided by plugins
- [SRBITB-230] - Allow mirrored repositories that have been moved or deleted to be removed
- [SRBITB-268] - Log capture doesn't work
- [SRBITB-427] - Custom email scripts don't run Configuration script until after subject/body templates have already been evaluated
- [SRBITB-437] - SimpleUserAccessGrant class not found when cloning a repo with branch permissions
- [SRBITB-449] - Whitelist MinimalRepositoryRef class
- [SRBITB-451] - Trusted Commit Authors hook doesn't match names when trust level set to "All authors must have WRITE access to this repository"
- [SRBITB-477] - Switch User isn't compatible with BB 6 API
- [SRBITB-479] - Static type checker doesn't recognise 'event' as being in the bindings for event handlers
Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.
Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.