Security Considerations

Owned by Tino Winkler
Last updated: Aug 27, 2020 by Almuth Boehme [Communardo]Version comment
2 min read

This article shall help you if you have questions concerning security while planning to use the SharePoint Connector.

Scenarios

First a general note: There is no code from SharePoint (Online) executed on the Confluence server (or the other way around), as all the integration happens in the browser. So the only attacks are possible via client side (browser) scripts.

The content embedded from SharePoint in Confluence might contain malicious scripts which could harm Confluence (or the other way around)

The embedded content is either

  1. fetched via the SharePoint/Confluence REST API and rendered by our app, escaping any data received and thus preventing XSS attacks
  2. or via iframe and thus cannot access the surrounding page

Thus, there should be no threat regarding that point.


Confluence can be attacked by an attacker via SharePoint because content from Confluence is embedded in SharePoint (or the other way around)

If an attacker can deploy malicious code to either Confluence or SharePoint, he could indeed attack the other instance by using the account of the user which currently browses Confluence or SharePoint. In order to do that, the attacker needs to be able to either

  1. leverage an exploit in SharePoint or Confluence
  2. or deploy an app to SharePoint or Confluence

There is not much you could do about 1. other than always have a patched version of SharePoint and Confluence.


To mitigate 2., you should ensure that you can trust everyone permitted to install apps or embed HTML/custom JavaScript to SharePoint or Confluence.


For details about SharePoint see

  • information regarding apps: https://docs.microsoft.com/sharepoint/extend-and-develop
  • Information regarding custom JavaScript: Pay close attention to the "custom scripts" feature, as this allows any user in SharePoint to deploy arbitrary scripts: https://docs.microsoft.com/de-de/sharepoint/allow-or-prevent-custom-script
  • However, if you do not need the ability to embed content into SharePoint, there is a way to completely deactivate that part of our app and with that all the threats listed here. This can be achieved by deactivating the "SharePoint Connector for Confluence Add-In Extensions" app which is bundled with the SharePoint Connector for Confluence.


For details about Confluence see

We have also published a high-level overview over data security for the SharePoint Connector for Confluence in this blog post.



Filter by label

There are no items with the selected labels at this time.