5.x Release Notes
Check out what’s new for ScriptRunner for Bamboo.
ScriptRunner Remote Events Code Execution Vulnerability
An HTTP POST made to
/rest/scriptrunner/latest/remote-events with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.
This security vulnerability has been fixed in ScriptRunner 184.108.40.206; it is recommended all customers upgrade to 220.127.116.11+ where possible.
If no firewall is enabled, users must update ScriptRunner to include this security patch.
If you are unable to upgrade immediately, blocking HTTP requests beginning with
<base_url>rest/scriptrunner/*/remote-events mitigates the vulnerability.
|To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.|
Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the Scriptrunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.
|Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties. To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.|
Apache HTTPD Reverse Proxy
Apache 2.4 Syntax
Add the following into the
.conf file containing the virtualhost that proxies to the Atlassian application.
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Require all denied </LocationMatch> Example: <VirtualHost *:80> ServerName jira.example.com
ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Require all denied </LocationMatch> </VirtualHost>
Apache 2.2 Syntax
Add the following into the
.conf file containing the virtualhost that proxies to the Atlassian application:
<LocationMatch "/rest/scriptrunner/.*/remote-events/"> Order Allow,Deny Deny from all </LocationMatch> Example <VirtualHost *:80> ServerName jira.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira <LocationMatch "/rest/scriptrunner/.*/remote-events/"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost>
Redirect requests to
/rest/scriptrunner/.*/remote-events/.* to a safe URL.
Add the following to the
<rule> <from>/rest/scriptrunner/.*/remote-events/.*</from> <to type="temporary-redirect">/</to> </rule>
Restart the Atlassian application.
New user interface
The user interface has been rewritten to provide a more user friendly experience. The appearance is very similar to the existing UI.
Customize the UI with Script Fragments
Script Fragments are here for ScriptRunner for Bamboo! Add your own customized elements to the Bamboo user interface. This can range from simple buttons and dialogs to integrations, such as adding a static analysis tab to your build results.
Script Search within Script File Input
You now have the ability to search for scripts contained within your configured script roots inside ScriptRunner. Wherever you used to be able to paste the path of a script, you can now search for the script directly in the file input. Simply start typing the name of your script and the search will present suggestions that you can select!
Fixes and Features
- [SRBAM-46] - Script Jobs User Picker does not do user search when editing an existing job
- [SRBAM-71] - Searching for web fragments is hard to read
- [SRBAM-85] - Bamboo restart does not startup the plugin correctly
- [SRBAM-86] - port new UI to bamboo
- [SRBAM-110] - Can not add new tasks/conditions through the UI for later Bamboo versions
- [SRBAM-57] - Further build-killing listeners
- [SRBAM-15] - As an Administrator, I need to install custom web resources to modify the UI of Bamboo
- [SRBAM-16] - As a Script Developer, I need to know where fragments are located in Bamboo so I know where it is possible to inject my own web items
- [SRBAM-48] - Switch user - integration testing
- [SRBAM-50] - Integration Test - View Server Log Files
- [SRBAM-51] - Integration test - Expired JDK listener
- [SRBAM-52] - Integration test - Script Jobs
- [SRBAM-66] - As an Administrator, I need to embed custom web sections in Bamboo in order to get relevant content from outside Bamboo visible to my developers
- [SRBAM-67] - As an Administrator, I need to embed my own web items so I can help users perform actions relevant to them not available to Bamboo
- [SRBAM-70] - Specific Use Case: Add a tab to the build that displays information about the build (such as static analysis results)
Scriptable tasks have been added, which let you easily use different parameters depending on build variables or committed files etc.
Incompatible with previous versions
Unfortunately tasks in this version have different keys. If you had used tasks previously please recreate them. We won’t do this again.
Compatible with Bamboo version 6.x.x.
Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.
Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.