This article shall help you when you have questions about security if you are planning to use the SharePoint Online Connector.
First a general note: There is no code from SharePoint (Online) executed on the Confluence server (or the other way around), as all the integration happens in the browser. So the only attacks are possible via client side (browser) scripts.
Scenarios
The content embedded from SharePoint in Confluence might contain malicious scripts which could harm Confluence (or the other way around)
The embedded content is either
- fetched via the SharePoint/Confluence REST API and rendered by our app, escaping any data received and thus preventing XSS attacks
- or via iframe and thus cannot access the surrounding page
Thus, there should be no threat regarding that point.
Confluence can be attacked by an attacker via SharePoint because content from Confluence is embedded in SharePoint (or the other way around)
If an attacker can deploy malicious code to either Confluence or SharePoint, he could indeed attack the other instance by using the account of the user which currently browses Confluence or SharePoint. In order to do that, the attacker needs to be able to either
- leverage an exploit in SharePoint or Confluence
- or deploy an app to SharePoint or Confluence
There is not much you could do about 1. other than always have a patched version of SharePoint and Confluence.
To mitigate 2., you should ensure that you can trust everyone permitted to install apps or embed HTML/custom JavaScript to SharePoint or Confluence.
For details about SharePoint see
- information regarding apps: https://docs.microsoft.com/sharepoint/extend-and-develop
- Information regarding custom JavaScript: Pay close attention to the "custom scripts" feature, as this allows any user in SharePoint to deploy arbitrary scripts: https://docs.microsoft.com/de-de/sharepoint/allow-or-prevent-custom-script
- However, if you do not need the ability to embed content into SharePoint, there is a way to completely deactivate that part of our app and with that all the threats listed here. This can be achieved by deactivating the "SharePoint Online Connector Add-In Extensions" app which is bundled with the SharePoint Online Connector.
For details about Confluence see
- information regarding apps: https://confluence.atlassian.com/cloud/marketplace-apps-873871382.html
- Information regarding custom JavaScript: Pay also close attention to the HTML macro, as it can allow any user in Confluence to deploy arbitrary scripts: https://confluence.atlassian.com/doc/html-macro-38273085.html
Related Articles
Filter by label
There are no items with the selected labels at this time.