Package com.atlassian.velocity

Class JiraAllowlistIntrospector

java.lang.Object
org.apache.velocity.util.introspection.IntrospectorBase
org.apache.velocity.util.introspection.Introspector
org.apache.velocity.util.introspection.SecureIntrospectorImpl
com.atlassian.velocity.allowlist.uberspect.PluginAwareSecureIntrospector
com.atlassian.velocity.JiraAllowlistIntrospector
All Implemented Interfaces:
org.apache.velocity.util.introspection.SecureIntrospectorControl
public class JiraAllowlistIntrospector extends com.atlassian.velocity.allowlist.uberspect.PluginAwareSecureIntrospector
Extends PluginAwareSecureIntrospector to manage a security allowlist specifically for Atlassian Jira Velocity environment. This class enhances security by controlling access to methods within the Velocity templates, based on a configured allowlist in velocity-default.properties. It listens to the plugin startup events to initialize itself and ensures that only allowed methods can be executed within the Velocity context, it also registers allowlists from every plugin that is installed in JIRA.
Since:
v10.0.0

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static enum 
    JiraAllowlistIntrospector.JiraAllowlistIntrospectorStatus
     

  • Field Summary

    Fields inherited from class com.atlassian.velocity.allowlist.uberspect.PluginAwareSecureIntrospector

    ALLOWLIST_DEBUG_PROPERTY, ALLOWLIST_DEBUG_PROPERTY_ALT

    Fields inherited from class org.apache.velocity.util.introspection.IntrospectorBase

    log

  • Constructor Summary

    Constructors
    Constructor
    Description
    JiraAllowlistIntrospector(org.apache.velocity.runtime.log.Log log, org.apache.velocity.runtime.RuntimeServices runtimeServices)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    JiraAllowlistIntrospector.JiraAllowlistIntrospectorStatus
    getStatus()
     
    protected boolean
    isAllowlistedClassPackageInternal(Class<?> clazz)
     
    protected boolean
    isAllowlistedMethodInternal(Method method)
     
    protected boolean
    isClassPackageRestricted(Class<?> clazz)
     
    protected boolean
    isClassRestricted(Class<?> clazz)
     
    protected boolean
    isIntrospectorEnabled()
     
    void
    onPluginEnabled(com.atlassian.plugin.event.events.PluginEnabledEvent event)
     
    void
    onPluginFrameworkStarted(com.atlassian.plugin.event.events.PluginFrameworkStartedEvent event)
     
    void
    postInitIntrospectorSetup()
     
    void
    resetIntrospectorState()
     

    Methods inherited from class com.atlassian.velocity.allowlist.uberspect.PluginAwareSecureIntrospector

    isAllowlistDebugMode, isAllowlistedClassPackageCached, isAllowlistedMethodCached, loadClass, setPluginAllowlist

    Methods inherited from class org.apache.velocity.util.introspection.SecureIntrospectorImpl

    checkObjectExecutePermission, checkObjectExecutePermission, getMethod, getMethod, isAllowlisted, isAllowlistedClass, isAllowlistedInternal, isAllowlistEnabled, isExecutionRestricted, isPackageMatches, isParametersRestricted, isParamsContainPathTraversal, isRestrictedClass, isRestrictedClassPackageCached, isRestrictedClassPackageInternal, resolveArrayClass, toClassSet, toMethodSet, toMethodStr, toPackageName, toParsedSet, topLevelChecks, toValidatedClassSet

    Methods inherited from class org.apache.velocity.util.introspection.IntrospectorBase

    getIntrospectorCache

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • JiraAllowlistIntrospector

      public JiraAllowlistIntrospector(org.apache.velocity.runtime.log.Log log, org.apache.velocity.runtime.RuntimeServices runtimeServices)

  • Method Details

    • onPluginFrameworkStarted

      @EventListener public void onPluginFrameworkStarted(com.atlassian.plugin.event.events.PluginFrameworkStartedEvent event)
      Overrides:
      onPluginFrameworkStarted in class com.atlassian.velocity.allowlist.uberspect.PluginAwareSecureIntrospector

    • onPluginEnabled

      @EventListener public void onPluginEnabled(com.atlassian.plugin.event.events.PluginEnabledEvent event)

    • getStatus

      public JiraAllowlistIntrospector.JiraAllowlistIntrospectorStatus getStatus()

    • resetIntrospectorState

      public void resetIntrospectorState()

    • postInitIntrospectorSetup

      public void postInitIntrospectorSetup()

    • isAllowlistedMethodInternal

      protected boolean isAllowlistedMethodInternal(Method method)
      Overrides:
      isAllowlistedMethodInternal in class org.apache.velocity.util.introspection.SecureIntrospectorImpl

    • isClassPackageRestricted

      protected boolean isClassPackageRestricted(Class<?> clazz)
      Overrides:
      isClassPackageRestricted in class org.apache.velocity.util.introspection.SecureIntrospectorImpl

    • isAllowlistedClassPackageInternal

      protected boolean isAllowlistedClassPackageInternal(Class<?> clazz)
      Overrides:
      isAllowlistedClassPackageInternal in class org.apache.velocity.util.introspection.SecureIntrospectorImpl

    • isClassRestricted

      protected boolean isClassRestricted(Class<?> clazz)
      Overrides:
      isClassRestricted in class org.apache.velocity.util.introspection.SecureIntrospectorImpl

    • isIntrospectorEnabled

      protected boolean isIntrospectorEnabled()
      Overrides:
      isIntrospectorEnabled in class com.atlassian.velocity.allowlist.uberspect.PluginAwareSecureIntrospector