Security Considerations

Please note: This article mainly applies to older versions of the SharePoint Connector for Confluence Data Center (1.12.x and 2.x) that supported SharePoint Server (On-Prem). Since version 3.x and in our Cloud version, we only work with SharePoint Online and Microsoft Graph API. Technical prerequisites have changed over time (e.g., Internet Explorer support ended, authentication moved to a new workflow), so the described behavior may no longer apply to current versions.

This article will help you if you have questions about security when planning to use the SharePoint Connector.

Scenarios

First, a general note: No code from SharePoint (Online) is executed on the Confluence server (or vice versa), as all the integration happens in the browser. So the only attacks are possible via client-side (browser) scripts.

The content embedded from SharePoint in Confluence might contain malicious scripts that could harm Confluence (or the other way around)

The embedded content is either

fetched via the SharePoint/Confluence REST API and rendered by our app, escaping any data received and thus preventing XSS attacks
or via iframe, and thus cannot access the surrounding page

Thus, there should be no threat regarding that point.

Confluence can be attacked by an attacker via SharePoint because content from Confluence is embedded in SharePoint (or the other way around)

If an attacker can deploy malicious code to either Confluence or SharePoint, he could indeed attack the other instance using the account of the user currently browsing Confluence or SharePoint. To do that, the attacker needs to be able to either

leverage an exploit in SharePoint or Confluence
or deploy an app to SharePoint or Confluence

There isn't much you can do about 1., other than always keep SharePoint and Confluence patched.

To mitigate 2., ensure you can trust everyone permitted to install apps or embed HTML/custom JavaScript in SharePoint or Confluence.

For details about SharePoint, see

Information regarding apps
Information regarding custom JavaScript: Pay close attention to the "custom scripts" feature, as it allows any SharePoint user to deploy arbitrary scripts.
However, if you do not need the ability to embed content into SharePoint, you can completely deactivate that part of our app, along with all the threats listed here. This can be achieved by deactivating the "SharePoint Connector for Confluence Add-In Extensions" app, which is bundled with the SharePoint Connector for Confluence.

For details about Confluence, see

Information regarding apps.
Information regarding custom JavaScript: Pay close attention to the HTML macro, as it can allow any Confluence user to deploy arbitrary scripts.

We have also published a high-level overview of data security for the SharePoint Connector for Confluence in this blog post.