Macro not rendering when included in excerpt

Issue #118 resolved
Former user created an issue

If we have page A which has an excerpt that inside has a database query compact macro, and then in another confluence space we use the excerpt-include macro, to include page A, then a null exception occurs in the database query compact macro.

This seems to have started in version 1.5.0 as we were not seeing it in 1.4.3.

Comments (6)

  1. Gary Sargent

    Tried version 1.4.6 and this works fine in the above scenario. Version 1.5.0 does not.

    Profile is not restricted by users/groups/spaces.

    (I raised the initial request but wasn’t logged in - if you need any more info happy to help)

  2. Scott Selberg

    Hi, I think I understand the problem - but not sure how easy it will be to fix.

    In 1.5.0, when the macro is executed, it runs code on the server side to pull the saved macro body/parameters and use those. This prevents a malicious person from altering the SQL on the webpage and sending it in allowing them to run arbitrary sql against your configured database. I believe in this case, the excerpt macro is running in a different space, so when the back end code goes to look for the saved content it’s looking on the wrong page/space. So what needs to happen is to see if I can determine where the original macro is. Then I need to think through the security implications.

  3. Scott Selberg

    Hi Gary, I got an email from this issue with your comment below, but didn’t see it here so I’m copying it in:

    That makes sense. I don’t have any restrictions on the macro though (including space level), so there should be no reason to even do the check. Though appreciate if someone does want space level restrictions it should work correctly too.

    To be clear, I don’t think this is about the restrictions on the macro. Prior to 1.5.x, the SQL would be present in the browser and sent to confluence and then passed to the database. Thus, if somebody mucks with the html source using the browser development tools they had the ability to edit the SQL. i.e. they could pass in anything they like. In 1.5, when the macro runs, the server side code ignores the SQL passed in and instead looks up the saved instance of the macro to get the code. Thus a user can’t intercept and alter the SQL being sent to the database. I believe the present issue with the excerpt macro is the server side code is looking for the saved macro content on the wrong page. It’s a theory I need to prove.

  4. Gary Sargent

    Yes sorry I read it a second time and understood what you were saying which is why I deleted the post.

  5. Log in to comment