dradis-projects 3.13.0 → 3.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 809063c5a07a7640818f6c7961fa5c7fc7423e37
-  data.tar.gz: 2330b76ac581ae6f0152e2d13aa8df076d171c69
+SHA256:
+  metadata.gz: 3a8be2f5a1ea984d74d0e2c0e1b8aa8234592b92bd580616afa5846f4e2c85f4
+  data.tar.gz: 07a452e34dfa738a6cc206d24af3b89f3208002c1b73f12fc8c1b57c2e404cf2
 SHA512:
-  metadata.gz: c3316557b4d6384089f84df2535fc7d9663a40870e60b4868c3a495bed0efdb95f2e005f5974845c43a2bb4e065313a0084b756c16a28e4a6b0ed19f7776c762
-  data.tar.gz: 6eeeb8e60acc8ec054b6bc2a00fdc53b21b17d71f8c01ff81a7b739e794ed9d2bf9fcc35d8fdfff8b71f06f1819d173b3969938cdeb2f9343046e884bed683d2
+  metadata.gz: a4d192636cb52fd17926243cf9ed8123adffd15a7fa6653bf8634afef66ea515ab6fd667de20ddc9a55727aef4d7760963978c372a48d71af96d6e41c5d8e255
+  data.tar.gz: 77167bb73e09422b5a016a09342d1f402e8ad7a5903beb03af3c260492a8102ebc38ee678c047d3a342d36890a0b208a5962868aff49c0b2b1ede6a3f8ee30c8

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+## Dradis Framework 3.17 (May, 2020) ##
+
+*  No changes
+
+## Dradis Framework 3.16 (February, 2020) ##
+
+*  No changes
+
+## Dradis Framework 3.15 (November, 2019) ##
+
+*  Fix upload with attachments
+*  Being able to export/upload boards (v3)
+
+## Dradis Framework 3.14.1 (October, 2019) ##
+
+*  Fix directory traversal vulnerability
+
+## Dradis Framework 3.14 (August, 2019) ##
+
+*  No changes
+
 ## Dradis Framework 3.13 (June, 2019) ##
 
 *  No changes

data/dradis-projects.gemspec

@@ -26,5 +26,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rspec'
 
   spec.add_dependency 'dradis-plugins', '~> 3.7'
-  spec.add_dependency 'rubyzip', '~> 1.2.2'
+  spec.add_dependency 'rubyzip'
 end

data/lib/dradis/plugins/projects/engine.rb

@@ -18,8 +18,8 @@ module Dradis
 
         initializer "dradis-projects.set_configs" do |app|
           options = app.config.dradis.projects
-          options.template_exporter ||= Dradis::Plugins::Projects::Export::V2::Template
-          options.template_uploader ||= Dradis::Plugins::Projects::Upload::V2::Template::Importer
+          options.template_exporter ||= Dradis::Plugins::Projects::Export::V3::Template
+          options.template_uploader ||= Dradis::Plugins::Projects::Upload::V3::Template::Importer
         end
 
 

data/lib/dradis/plugins/projects/export/template.rb

@@ -29,3 +29,4 @@ end
 
 require_relative 'v1/template'
 require_relative 'v2/template'
+require_relative 'v3/template'

data/lib/dradis/plugins/projects/export/v3/template.rb

@@ -0,0 +1,57 @@
+module Dradis::Plugins::Projects::Export::V3
+  class Template < Dradis::Plugins::Projects::Export::V2::Template
+    VERSION = 3
+
+    protected
+
+    def build_methodologies(builder)
+      boards = content_service.all_boards
+
+      builder.methodologies do |methodologies_builder|
+
+        boards.each do |board|
+          node_id =
+            board.node == project.methodology_library ? nil : board.node_id
+
+          methodologies_builder.board(version: VERSION) do |board_builder|
+            board_builder.id(board.id)
+            board_builder.name(board.name)
+            board_builder.node_id(node_id)
+
+            board.ordered_items.each do |list|
+
+              board_builder.list do |list_builder|
+                list_builder.id(list.id)
+                list_builder.name(list.name)
+                list_builder.previous_id(list.previous_id)
+
+                list.ordered_items.each do |card|
+
+                  list_builder.card do |card_builder|
+                    card_builder.id(card.id)
+                    card_builder.name(card.name)
+                    card_builder.description do
+                      card_builder.cdata!(card.description)
+                    end
+                    card_builder.due_date(card.due_date)
+                    card_builder.previous_id(card.previous_id)
+
+                    card_builder.assignees do |assignee_builder|
+                      card.assignees.each do |assignee|
+                        assignee_builder.assignee(assignee.email)
+                      end
+                    end
+
+                    build_activities_for(card_builder, card)
+                    build_comments_for(card_builder, card)
+                  end
+
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dradis/plugins/projects/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 3
-        MINOR = 13
+        MINOR = 17
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/projects/upload/package.rb

@@ -18,18 +18,21 @@ module Dradis::Plugins::Projects::Upload
         success = false
 
         # Unpack the archive in a temporary location
-        FileUtils.mkdir Rails.root.join('tmp', 'zip')
+        temporary_dir = Rails.root.join('tmp', 'zip')
+        FileUtils.mkdir temporary_dir
 
         begin
           logger.info { 'Uncompressing the file...' }
           #TODO: this could be improved by only uncompressing the XML, then parsing
           # it to get the node_lookup table and then uncompressing each entry to its
           # final destination
-          Zip::File.foreach(package) do |entry|
-            path = Rails.root.join('tmp', 'zip', entry.name)
-            FileUtils.mkdir_p(File.dirname(path))
-            entry.extract(path)
-            logger.info { "\t#{entry.name}" }
+          Dir.chdir(temporary_dir) do
+            Zip::File.foreach(package) do |entry|
+              path = temporary_dir.join(entry.name)
+              FileUtils.mkdir_p(File.dirname(path))
+              entry.extract
+              logger.info { "\t#{entry.name}" }
+            end
           end
           logger.info { 'Done.' }
 

data/lib/dradis/plugins/projects/upload/template.rb

@@ -89,3 +89,4 @@ end
 
 require_relative 'v1/template'
 require_relative 'v2/template'
+require_relative 'v3/template'

data/lib/dradis/plugins/projects/upload/v1/template.rb

@@ -95,7 +95,12 @@ module Dradis::Plugins::Projects::Upload::V1
       def finalize_attachments
         # Adjust attachment URLs for new Node IDs
         pending_changes[:attachment_notes].each do |item|
-          text_attr = item.is_a?(ContentBlock) ? :content : :text
+          text_attr =
+            if defined?(ContentBlock) && item.is_a?(ContentBlock)
+              :content
+            else
+              :text
+            end
 
           logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
 

data/lib/dradis/plugins/projects/upload/v3/template.rb

@@ -0,0 +1,203 @@
+module Dradis::Plugins::Projects::Upload::V3
+  module Template
+    class Importer < Dradis::Plugins::Projects::Upload::V2::Template::Importer
+      private
+
+      # Private: Given a XML node contianing assignee information this method
+      # tries to recreate the assignment in the new project.
+      #
+      #   * If the user exists in this instance: assign the card to that user
+      #     (no matter if the user is not a project author).
+      #   * If the user doesn't exist, don't creat an assiment and add a note
+      #     inside the card's description.
+      #
+      # card         - the Card object we're creating assignments for.
+      # xml_assignee - the Nokogiri::XML::Node that contains node assignment
+      #                information.
+      #
+      # Returns nothing, but creates a new Assignee for this card.
+      def create_assignee(card, xml_assignee)
+        email   = xml_assignee.text()
+        user_id = user_id_for_email(email)
+
+        if user_id == -1
+          old_assignee_field = card.fields['FormerAssignees'] || ''
+          card.set_field 'FormerAssignees', old_assignee_field << "* #{email}\n"
+        else
+          old_assignee_ids  = card.assignee_ids
+          card.assignee_ids = old_assignee_ids + [user_id]
+        end
+      end
+
+      # Private: Reassign cross-references once all the objects in the project
+      # have been recreated.
+      #
+      # No arguments received, but the methods relies on :lookup_table and
+      # :pending_changes provided by dradis-projects.
+      #
+      # Returns nothing.
+      def finalize_cards
+        logger.info { 'Reassigning card positions...' }
+
+        # Fix the :previous_id with the new card IDs
+        pending_changes[:cards].each do |card|
+          card.previous_id = lookup_table[:cards][card.previous_id]
+          raise "Couldn't save card's position" unless validate_and_save(card)
+        end
+
+        logger.info { 'Done.' }
+      end
+
+      # Private: Reassign the List's :previous_id now that we know what are the
+      # new IDs that correspond to all List objects in the import.
+      #
+      # No arguments received, but the method relies on :lookup_table and
+      # :pending_changes provided by dradis-projects.
+      #
+      # Returns nothing.
+      def finalize_lists
+        logger.info { 'Reassigning list positions...' }
+
+        # Fix the :previous_id with the new card IDs
+        pending_changes[:lists].each do |list|
+          list.previous_id = lookup_table[:lists][list.previous_id]
+          raise "Couldn't save list's position" unless validate_and_save(list)
+        end
+
+        logger.info { 'Done.' }
+      end
+
+      # Private: Restore Board, List and Card information from the project
+      # template.
+      def parse_methodologies(template)
+        if template_version == 1
+          # Restore Board from old xml methodology format
+          process_v1_methodologies(template)
+        else
+          process_v2_methodologies(template)
+        end
+      end
+
+      # Private:  For each XML card block, we're creating a new Card instance,
+      # restoring the card's Activities and Assignments.
+      #
+      # list     - the List instance that will hold this Card.
+      # xml_card - the Nokogiri::XML node containing the card's data.
+      #
+      # Returns nothing, but makes use of the :lookup_table and :pending_changes
+      # variables to store information that will be used during the
+      # :finalize_cards method.
+      def process_card(list, xml_card)
+        due_date = xml_card.at_xpath('due_date').text
+        due_date = Date.iso8601(due_date) unless due_date.empty?
+
+        card = list.cards.create name: xml_card.at_xpath('name').text,
+          description: xml_card.at_xpath('description').text,
+          due_date: due_date,
+          previous_id: xml_card.at_xpath('previous_id').text
+
+        xml_card.xpath('activities/activity').each do |xml_activity|
+          raise "Couldn't create activity for Card ##{card.id}" unless create_activity(card, xml_activity)
+        end
+
+        xml_card.xpath('assignees/assignee').each do |xml_assignee|
+         raise "Couldn't create assignment for Card ##{card.id}" unless create_assignee(card, xml_assignee)
+        end
+
+        raise "Couldn't create comments for Card ##{card.id}" unless create_comments(card, xml_card.xpath('comments/comment'))
+
+        lookup_table[:cards][xml_card.at_xpath('id').text.to_i] = card.id
+        pending_changes[:cards] << card
+      end
+
+      # Private: Initial pass over ./methodologies/ section of the tempalte
+      # document to extract Board, List and Card information. Some of the
+      # objects will contain invalid references (e.g. the former :previous_id
+      # of a card will need to be reassigned) that we will fix at a later stage.
+      #
+      # template - A Nokogiri::XML document containing the project template
+      #            data.
+      #
+      # Returns nothing.
+      def process_methodologies(template)
+        logger.info { 'Processing Methodologies...' }
+
+        lookup_table[:cards]    = {}
+        lookup_table[:lists]    = {}
+        pending_changes[:cards] = []
+        pending_changes[:lists] = []
+
+        template.xpath('dradis-template/methodologies/board').each do |xml_board|
+          xml_node_id = xml_board.at_xpath('node_id').try(:text)
+          node_id =
+            if xml_node_id.present?
+              lookup_table[:nodes][xml_node_id]
+            else
+              project.methodology_library.id
+            end
+
+          board = content_service.create_board(
+            name: xml_board.at_xpath('name').text,
+            node_id: node_id
+          )
+
+          xml_board.xpath('./list').each do |xml_list|
+            list = board.lists.create name: xml_list.at_xpath('name').text,
+              previous_id: xml_list.at_xpath('previous_id').text
+
+            lookup_table[:lists][xml_list.at_xpath('id').text.to_i] = list.id
+            pending_changes[:lists] << list
+
+            xml_list.xpath('./card').each do |xml_card|
+              process_card(list, xml_card)
+            end
+          end
+        end
+
+        logger.info { 'Done.' }
+      end
+
+      # Private: Pass over old ./methodologies/ sections of the template
+      # document to extract Board, List and Card information.
+      #
+      # template - A Nokogiri::XML document containing the project template
+      #            data.
+      #
+      # Returns nothing.
+      def process_v1_methodologies(template)
+        xml_methodologies = template.xpath('dradis-template/methodologies/methodology')
+        return if xml_methodologies.empty?
+
+        logger.info { 'Processing V1 Methodologies...' }
+
+        migration = MethodologyMigrationService.new(project.id)
+
+        xml_methodologies.each do |xml_methodology|
+          migration.migrate(
+            Methodology.new(content: xml_methodology.at_xpath('text').text)
+          )
+        end
+
+        logger.info { 'Done.' }
+      end
+
+      # Private: Pass over new ./methodologies/ sections of the template
+      # document to extract Board, List and Card information.
+      #
+      # template - A Nokogiri::XML document containing the project template
+      #            data.
+      #
+      # Returns nothing.
+      def process_v2_methodologies(template)
+        # Restore Board
+        process_methodologies(template)
+
+        # Reassign Card's :previous_id and :assginees
+        finalize_cards()
+
+        # Reassign List's :previous id
+        finalize_lists()
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-projects
 version: !ruby/object:Gem::Version
-  version: 3.13.0
+  version: 3.17.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-06-10 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -84,16 +84,16 @@ dependencies:
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.2
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.2.2
+        version: '0'
 description: This plugin allows you to dump the contents of the repo into a zip archive
   and restore the state from one of them.
 email:
@@ -121,11 +121,13 @@ files:
 - lib/dradis/plugins/projects/export/template.rb
 - lib/dradis/plugins/projects/export/v1/template.rb
 - lib/dradis/plugins/projects/export/v2/template.rb
+- lib/dradis/plugins/projects/export/v3/template.rb
 - lib/dradis/plugins/projects/gem_version.rb
 - lib/dradis/plugins/projects/upload/package.rb
 - lib/dradis/plugins/projects/upload/template.rb
 - lib/dradis/plugins/projects/upload/v1/template.rb
 - lib/dradis/plugins/projects/upload/v2/template.rb
+- lib/dradis/plugins/projects/upload/v3/template.rb
 - lib/dradis/plugins/projects/version.rb
 - lib/tasks/thorfile.rb
 - spec/fixtures/files/attachments_url.xml
@@ -152,8 +154,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Project export/upload for the Dradis Framework.