Check out what’s new for ScriptRunner for BitBucket Server.

5.9.0

Behind the scenes, the deprecation information behind the code editor has been improved.

New Features

  • SRPLAT-1022 - There is now an Exit button for the Switch User built-in script.

Bug Fixes

  • SRPLAT-1055 - Script editor did not enable vertical scroll when too many lines were added.

  • SRBITB-683 - The Automatically Configure Delete Branch Checkbox event handler worked even when branch deletion wasn’t permitted.

  • SRBITB-660 - The Naming Standards hook removed useful contextual information from ref names.

5.8.0

Bug Fixes

  • SRBITB-690 - Mirroring upgrade task throws exception if no configuration is present

  • SRPLAT-931 - The code editor did not show method deprecation warnings for SAL.

5.7.2

Bug Fixes

  • SRPLAT-999 - Script Editor - deprecations of inner classes are now correctly shown.

  • SRBITB-412 - There was a static type checking error when using projectKey in JQL query template.

  • SRPLAT-931 - The code editor did not show method deprecation warnings for SAL.

  • SRBITB-682 - Deprecation hints were enabled in Script Editor for Bitbucket 7.

  • SRBITB-678 - Deprecation hints were enabled in Script Editor for Bitbucket 6.

5.7.1

New Features

  • SRBITB-631 - When configuring pathsMatch, you can now include only LFS files.

Bug Fixes

  • SRPLAT-962 - Cron descriptions now display the correct weekday.

5.7.0

New Features

  • SRBITB-631 - When configuring pathsMatch, you can now include only LFS files.

  • SRBITB-355 - The Require Commits to Be Associated with Jira Issue script now has an option to check commit messages, not branch names, to ensure that every commit that is merged into master has a Jira issue key.

Bug Fixes

  • SRPLAT-948 - Conditions on Web Fragments created prior to release 5.6.15 are now visible.

  • SRBITB-299 - The CreateDefaultPullRequestTasks listener had conflicts with WorkZone listeners.

5.6.15

Bug Fixes

5.6.14

Bug Fixes

  • SRPLAT-908 - A bug that prevented editing of previously configured script files has been fixed.

5.6.13

IntelliJ IDEA Plugin Deprecation

We are officially deprecating the IntelliJ IDEA plugin, also known as the Adaptavist Power Editor. ScriptRunner 5.6.13 contains the last bugfix we will ship for this feature, and 0.7.20 is the last release we will make on the JetBrains marketplace. Future support requests for this feature will be referred to this deprecation notice.

As can be seen from the review history on our JetBrains marketplace listing, we haven’t been consistently keeping up with JetBrains’s quarterly release schedule, due to prioritisation constraints.

Reasons for the Change

Two key concerns motivated our decision to deprecate: the opportunity cost of developing the Adaptavist Power Editor and its overlap with other ScriptRunner features.

The IntelliJ IDEA platform is a rich, fast-moving one. Just about every release requires refactoring some part of our plugin’s codebase. As users of IntelliJ IDEA, we love this rapid development. However, it is a challenge to keep up with developing a secondary plugin that is not our core product, while also keeping an eye on the Atlassian release cycle. While IntelliJ IDEA was an interesting platform to expand into, it required more focus than we were able to give it.

Further, we are continuing to maintain and develop two other features which meet most of the needs met by the IntelliJ Plugin. These are the Code Editor and the scriptrunner-samples repository for local development.

The Code Editor provides smart completions, parameter hints, and javadoc lookup. While that’s nowhere near the feature set provided by IntelliJ IDEA, it does provide a rich development experience, one which we’d like to develop further. Most importantly, the Code Editor is up and running by default with no setup.

For users who want a deeper development experience and don’t mind some setup, developing a Script Plugin affords a fully featured IDE, git integration, the ability to save script configuration as code, and other developer tools.

With the addition of the Code Editor (with built-in autocompletion), and the new Script Editor (allowing users to save files in script roots), the Adaptavist Power Editor had a very niche user base with a very high maintenance burden. Although we had reservations about deprecating the IntelliJ IDEA integration due to feature loss in the short term, increased investment in the core ScriptRunner product is our priority.

Continuing to let the Adaptavist Power Editor lag with late compatibility updates wasn’t fair to our users, and we are committed to delivering more new features and improvements to the ScriptRunner product itself.

Ultimately, creating a plugin for IntelliJ IDEA was a valuable experiment. It taught us important lessons about providing a rich code editor that we still want to incorporate into the core Code Editor. We would love to hear from you which aspects you found most valuable. Please contact us through our support portal if there are features you would like to request for the Code Editor.

Bug Fixes

  • SRPLAT-830 - IntelliJ Integration that was broken in 5.6.6 and beyond, is now fixed.

  • SRBITB-621 - Audit logs are no longer created for frequently run scripts.

5.6.12

ScriptRunner Remote Events Code Execution Vulnerability

An HTTP POST made to /rest/scriptrunner/latest/remote-events with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.

This security vulnerability has been fixed in ScriptRunner 5.6.12; it is recommended all customers upgrade to 5.6.12+ where possible.

If no firewall is enabled, users must update ScriptRunner to include this security patch.

Temporary Workaround

If you are unable to upgrade immediately, blocking HTTP requests beginning with <base_url>rest/scriptrunner/*/remote-events mitigates the vulnerability.

To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.

Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the Scriptrunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.

Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties. To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/ are denied.
Apache HTTPD Reverse Proxy
Apache 2.4 Syntax

Add the following into the .conf file containing the virtualhost that proxies to the Atlassian application.

<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Require all denied
</LocationMatch>
Example:
<VirtualHost *:80>
ServerName jira.example.com
ProxyRequests Off
ProxyVia Off
<Proxy *>
     Require all granted
</Proxy>
ProxyPass /jira  http://ipaddress:8080/jira
ProxyPassReverse /jira  http://ipaddress:8080/jira
    <LocationMatch "/rest/scriptrunner/.*/remote-events/">
        Require all denied
    </LocationMatch>
</VirtualHost>
Apache 2.2 Syntax

Add the following into the .conf file containing the virtualhost that proxies to the Atlassian application:

<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Order Allow,Deny
Deny from  all
</LocationMatch>
Example
<VirtualHost *:80>
ServerName jira.example.com
    ProxyRequests Off
    ProxyVia Off
    <Proxy *>
         Require all granted
    </Proxy>
    ProxyPass /jira  http://ipaddress:8080/jira
    ProxyPassReverse /jira  http://ipaddress:8080/jira
    <LocationMatch "/rest/scriptrunner/.*/remote-events/">
         Order Allow,Deny
         Deny from  all
    </LocationMatch>
</VirtualHost>
Tomcat urlrewrite.xml

Redirect requests to /rest/scriptrunner/.*/remote-events/.* to a safe URL.

  1. Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    <rule>
    <from>/rest/scriptrunner/.*/remote-events/.*</from>
    <to type="temporary-redirect">/</to>
    </rule>
  2. Save the urlrewrite.xml.

  3. Restart the Atlassian application.

5.6.11

New Features

Built In Script For Viewing And Deleting Orphaned Personal Repositories

This release includes a new built-in administrative script, which allows you to view and delete orphaned personal repositories. An orphaned repository is a personal repository which no longer has an owner, either because the owner has been deleted or become inactive.

Bitbucket has no built in support for viewing orphaned repositories: BSERV-7265.

This new built-in script provides a list of orphaned repositories and optionally allows the administrator to delete all orphaned repositories.

See our Administrative Scripts documentation for more information.

Bug Fixes

  • SRPLAT-873 - Settings could have been null, which caused NPE in various locations.

  • SRPLAT-864 - An invalid object name, null.AO_31728E_SR_USER_PROP, was added when the plugin was run against an instance running on MS SQL Server.

5.6.9

Bug Fixes

  • SRPLAT-670 - An exception was generated when adding or removing an event in the Events field on the Custom Event Listener screen.

  • SRBITB-603 - While on Bitbucket 6, the check icons did not render while using configured mirrors script.

  • SRBITB-584 - Old branch and tag naming standards hooks did not respond to UI-based triggers.

5.6.8

Bug Fixes

5.6.7

New Features

  • SRBITB-548 - Mirroring has been extended to work with GitLab in addition to GitHub. Find out more information about GitLab mirroring in the Administrative Scripts documentation.

  • SRBITB-455 - Mirroring has been extended to work with other Bitbucket Server instances. Find out more information about mirroring for servers in the Administrative Scripts documentation.

  • SRBITB-310 - Audit logging was set up for all ScriptRunner items when they are added, deleted, and updated.

  • SRBITB-246 - Mirroring of GitHub Enterprise was added. Find out more information about GitHub mirroring in the Administrative Scripts documentation.

Bug Fixes

  • SRPLAT-774 - There was a MissingPropertyException in subclasses of AbstractBaseRestEndpoint when accessing the log field.

  • SRPLAT-773 - YAML files were not auto-deploying saved script configurations in custom plugin jars.

  • SRBITB-547 - MaxFilesizeHook checked the LFS pointer files instead of the size of LFS pointers.

  • SRBITB-470 - The user interface (UI) was updated to remove misleading custom event handler and hook user instructions.

5.6.6

New Features

  • SRBITB-475 - Mirroring of private Github user repos is now allowed.

  • Manage your .groovy script files using the new ScriptRunner Script Editor.

5.6.5

New Features

  • SRBITB-397 - A new canned script was added that can enable the Delete Source Branch checkbox to be checked by default on pull request (PR) merges.

Bug Fixes

  • SRPLAT-715 - The use of class autocompletion with an as cast operation was fixed.

  • SRPLAT-712 - An exception thrown by getting docs on a variable no longer occurs.

  • SRPLAT-709 - The fragment finder context variables overlay was added.

  • SRPLAT-703 - The missing Idea Integration icon was added back to code editors.

  • SRBITB-551 - The Auto Add Reviewers REST endpoint checks to see if the handler is disabled. If it is disabled, it does not fill in the Reviewers field in a PR creation UI.

  • SRBITB-541 - Support was added for proxy authentication for Github and Bitbucket mirroring.

  • SRBITB-539 - The Protect Git Refs canned script now responds to UI triggers.

  • SRBITB-398 - Email comparison in the trusted authors hook is now case-insensitive.

  • SRBITB-178 - ScriptRunner for BitBucket captures a full response if HTML is returned in mirroring. Previously, only JSON was captured.

5.6.3.2

Bug Fixes

  • [SRBITB-555] - Hooks get applied to requests they can't handle

5.6.3

New Features

Critical Security Update

This release fixes a security vulnerability that has been discovered in ScriptRunner for Bitbucket. The vulnerability affects version 3.0.17 - 5.6.1 (inclusive) of ScriptRunner for Bitbucket.

The vulnerability is classified as critical in line with Atlassian’s Security Levels.

ScriptRunner for Bitbucket Server and Data Center prior to version 5.6.3 allowed logged in users to create and execute scripts without the correct privileges being applied by sending a specially crafted request. This could mean that a user can escalate their privileges and execute arbitrary code.

Introducing Data Center Migration Support for ScriptRunner

From release 5.6.3, ScriptRunner for Bitbucket now includes support for Altassian’s Data Center Migration Tool.

Please see the Data Center Migration Support documentation for more details on which ScriptRunner objects are exported by the tool and how they are applied to the import instance.

Other New Features

  • [SRBITB-405] - Allow users to use the Hooks API to write custom merge checks
  • [SRBITB-444] - Provide Importer/Exporter modules for easy DC migration

Bug Fixes

  • [SRBITB-309] - The Send Mail script job ran conditions twice.
  • [SRBITB-553] - User privilege escalation.
  • [SRPLAT-658] - Could not use code completion features with @WithPlugin for some plugins.
  • [SRPLAT-680] - Dependent plugin classes weren't loaded correctly.

5.6.1

New Features

  • [SRPLAT-96] - Custom event listeners should be able to listen to events provided by plugins

Bug Fixes

  • [SRBITB-230] - Allow mirrored repositories that have been moved or deleted to be removed
  • [SRBITB-268] - Log capture doesn't work
  • [SRBITB-427] - Custom email scripts don't run Configuration script until after subject/body templates have already been evaluated
  • [SRBITB-437] - SimpleUserAccessGrant class not found when cloning a repo with branch permissions
  • [SRBITB-449] - Whitelist MinimalRepositoryRef class
  • [SRBITB-451] - Trusted Commit Authors hook doesn't match names when trust level set to "All authors must have WRITE access to this repository"
  • [SRBITB-477] - Switch User isn't compatible with BB 6 API
  • [SRBITB-479] - Static type checker doesn't recognise 'event' as being in the bindings for event handlers

Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.

Ask a question about ScriptRunner for JIRA, Bitbucket Server, or Confluence.

Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.