dradis-projects 3.21.0 → 4.1.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/CHANGELOG.md +55 -64
- data/CHANGELOG.template +12 -0
- data/dradis-projects.gemspec +2 -2
- data/lib/dradis/plugins/projects/export/v3/template.rb +1 -37
- data/lib/dradis/plugins/projects/gem_version.rb +4 -4
- data/lib/dradis/plugins/projects/upload/package.rb +11 -6
- data/lib/dradis/plugins/projects/upload/v1/template.rb +8 -3
- data/lib/dradis/plugins/projects/upload/v3/template.rb +1 -1
- data/spec/fixtures/files/malformed_ids.xml +14 -0
- data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb +22 -4
- metadata +13 -10
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 68ddaed8e020a33f06c7dd722bbb0502f7598a76eaf61a0f2c4a05716ebbf2be
|
4
|
+
data.tar.gz: 66d06ddd0941b6eaa9ab7b1839af76620b2e764cf25ce0cc90778a91ecfe003b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7d3b899c0aa7a605c47fdc85d52baea5b966a94392f123a835495a14ae05ba8a6637e37a2dd74cfa76458b19f12a1013979afed7a191e1ea95c6ff5e1015ccb7
|
7
|
+
data.tar.gz: 8d84010325dfadaa0d51ef0ae3e45e27d049bcd7ed0a0754d1c3c605b7598c2bbc78e3dc7306b600a09e5ad77a4c208c170aa27fcd4c9d2c44c00093afff5cb6
|
data/.ruby-version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
2.
|
1
|
+
2.7.2
|
data/CHANGELOG.md
CHANGED
@@ -1,85 +1,76 @@
|
|
1
|
-
|
1
|
+
v4.1.2.1 (December 2021)
|
2
|
+
- Security Fixes:
|
3
|
+
- High: Authenticated author path traversal
|
2
4
|
|
3
|
-
|
5
|
+
v4.1.1 (November 2021)
|
6
|
+
- Loosen dradis-plugins version requirement
|
4
7
|
|
5
|
-
|
8
|
+
v4.1.0 (November 2021)
|
9
|
+
- No changes
|
6
10
|
|
7
|
-
|
8
|
-
|
11
|
+
v4.0.0 (July 2021)
|
12
|
+
- No changes
|
9
13
|
|
10
|
-
|
14
|
+
v3.22.0 (April 2021)
|
15
|
+
- No changes
|
11
16
|
|
12
|
-
|
17
|
+
v3.21.0 (February 2021)
|
18
|
+
- No changes
|
13
19
|
|
14
|
-
|
20
|
+
v3.20.0 (January 2020)
|
21
|
+
- Add views for the export view
|
22
|
+
- Fix exporting projects with comments by deleted users
|
15
23
|
|
16
|
-
|
24
|
+
v3.19.0 (September 2020)
|
25
|
+
- No changes
|
17
26
|
|
18
|
-
|
27
|
+
v3.18.0 (July 2020)
|
28
|
+
- No changes
|
19
29
|
|
20
|
-
|
30
|
+
v3.17.0 (May 2020)
|
31
|
+
- No changes
|
21
32
|
|
22
|
-
|
33
|
+
v3.16.0 (February 2020)
|
34
|
+
- No changes
|
23
35
|
|
24
|
-
|
36
|
+
v3.15.0 (November 2019)
|
37
|
+
- Being able to export/upload boards (v3)
|
38
|
+
- Fix upload with attachments
|
25
39
|
|
26
|
-
|
40
|
+
v3.14.1 (October 2019)
|
41
|
+
- Fix directory traversal vulnerability
|
27
42
|
|
28
|
-
|
29
|
-
|
43
|
+
v3.14.0 (August 2019)
|
44
|
+
- No changes
|
30
45
|
|
31
|
-
|
46
|
+
v3.13.0 (June 2019)
|
47
|
+
- No changes
|
32
48
|
|
33
|
-
|
49
|
+
v3.12.0 (March 2019)
|
50
|
+
- No changes
|
34
51
|
|
35
|
-
|
52
|
+
v3.11.0 (November 2018)
|
53
|
+
- Note and evidence comments in export/import
|
36
54
|
|
37
|
-
|
55
|
+
v3.10.0 (August 2018)
|
56
|
+
- Check project existence for default user id
|
57
|
+
- Issue comments in export/import
|
58
|
+
- Replace Node methods that are now Project methods
|
59
|
+
- Use project scopes
|
38
60
|
|
39
|
-
|
61
|
+
v3.9.0 (January 2018)
|
62
|
+
- Add default user id as fallback for activity user when importing
|
63
|
+
- Fix nodes upload
|
40
64
|
|
41
|
-
|
65
|
+
v3.8.0 (September 2017)
|
66
|
+
- Add parse_report_content placeholders to import/export
|
67
|
+
- Add version attribute to exported methodologies
|
42
68
|
|
43
|
-
|
69
|
+
v3.7.0 (July 2017)
|
70
|
+
- Skip closing the logger in thorfile
|
44
71
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
## Dradis Framework 3.10 (August, 2018) ##
|
52
|
-
|
53
|
-
* Use project scopes
|
54
|
-
|
55
|
-
* Check project existence for default user id
|
56
|
-
|
57
|
-
* Issue comments in export/import
|
58
|
-
|
59
|
-
* Replace Node methods that are now Project methods
|
60
|
-
|
61
|
-
## Dradis Framework 3.9 (January, 2018) ##
|
62
|
-
|
63
|
-
* Fix nodes upload
|
64
|
-
|
65
|
-
* Add default user id as fallback for activity user when importing
|
66
|
-
|
67
|
-
## Dradis Framework 3.8 (September, 2017) ##
|
68
|
-
|
69
|
-
* Add version attribute to exported methodologies
|
70
|
-
|
71
|
-
* Add parse_report_content placeholders to import/export.
|
72
|
-
|
73
|
-
## Dradis Framework 3.7 (July, 2017) ##
|
74
|
-
|
75
|
-
* Skip closing the logger in thorfile
|
76
|
-
|
77
|
-
## Dradis Framework 3.6 (March, 2017) ##
|
78
|
-
|
79
|
-
* Include file version in project template export.
|
80
|
-
|
81
|
-
* Stop using homegrown configuration and use `Rails.application.config`.
|
82
|
-
|
83
|
-
* Make the project template exporter / uploader configurable.
|
84
|
-
|
85
|
-
* Break down the #export and #parse methods into smaller tasks.
|
72
|
+
v3.6.0 (March 2017)
|
73
|
+
- Break down the #export and #parse methods into smaller tasks
|
74
|
+
- Include file version in project template export
|
75
|
+
- Make the project template exporter / uploader configurable
|
76
|
+
- Stop using homegrown configuration and use `Rails.application.config`
|
data/CHANGELOG.template
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
[v#.#.#] ([month] [YYYY])
|
2
|
+
- [future tense verb] [feature]
|
3
|
+
- Upgraded gems:
|
4
|
+
- [gem]
|
5
|
+
- Bugs fixes:
|
6
|
+
- [future tense verb] [bug fix]
|
7
|
+
- Bug tracker items:
|
8
|
+
- [item]
|
9
|
+
- Security Fixes:
|
10
|
+
- High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
11
|
+
- Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
12
|
+
- Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
data/dradis-projects.gemspec
CHANGED
@@ -20,11 +20,11 @@ Gem::Specification.new do |spec|
|
|
20
20
|
spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
21
21
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
22
22
|
|
23
|
-
spec.add_development_dependency 'bundler', '~>
|
23
|
+
spec.add_development_dependency 'bundler', '~> 2.2'
|
24
24
|
spec.add_development_dependency 'combustion'
|
25
25
|
spec.add_development_dependency 'rake', '~> 10.0'
|
26
26
|
spec.add_development_dependency 'rspec'
|
27
27
|
|
28
|
-
spec.add_dependency 'dradis-plugins', '~>
|
28
|
+
spec.add_dependency 'dradis-plugins', '~> 4.0'
|
29
29
|
spec.add_dependency 'rubyzip'
|
30
30
|
end
|
@@ -13,43 +13,7 @@ module Dradis::Plugins::Projects::Export::V3
|
|
13
13
|
node_id =
|
14
14
|
board.node == project.methodology_library ? nil : board.node_id
|
15
15
|
|
16
|
-
|
17
|
-
board_builder.id(board.id)
|
18
|
-
board_builder.name(board.name)
|
19
|
-
board_builder.node_id(node_id)
|
20
|
-
|
21
|
-
board.ordered_items.each do |list|
|
22
|
-
|
23
|
-
board_builder.list do |list_builder|
|
24
|
-
list_builder.id(list.id)
|
25
|
-
list_builder.name(list.name)
|
26
|
-
list_builder.previous_id(list.previous_id)
|
27
|
-
|
28
|
-
list.ordered_items.each do |card|
|
29
|
-
|
30
|
-
list_builder.card do |card_builder|
|
31
|
-
card_builder.id(card.id)
|
32
|
-
card_builder.name(card.name)
|
33
|
-
card_builder.description do
|
34
|
-
card_builder.cdata!(card.description)
|
35
|
-
end
|
36
|
-
card_builder.due_date(card.due_date)
|
37
|
-
card_builder.previous_id(card.previous_id)
|
38
|
-
|
39
|
-
card_builder.assignees do |assignee_builder|
|
40
|
-
card.assignees.each do |assignee|
|
41
|
-
assignee_builder.assignee(assignee.email)
|
42
|
-
end
|
43
|
-
end
|
44
|
-
|
45
|
-
build_activities_for(card_builder, card)
|
46
|
-
build_comments_for(card_builder, card)
|
47
|
-
end
|
48
|
-
|
49
|
-
end
|
50
|
-
end
|
51
|
-
end
|
52
|
-
end
|
16
|
+
board.to_xml(methodologies_builder, includes: [:activities, :assignees, :comments], version: VERSION)
|
53
17
|
end
|
54
18
|
end
|
55
19
|
end
|
@@ -47,13 +47,18 @@ module Dradis::Plugins::Projects::Upload
|
|
47
47
|
|
48
48
|
|
49
49
|
logger.info { 'Moving attachments to their final destinations...' }
|
50
|
-
lookup_table[:nodes].each do |oldid,newid|
|
51
|
-
|
52
|
-
|
50
|
+
lookup_table[:nodes].each do |oldid, newid|
|
51
|
+
tmp_dir = Rails.root.join('tmp', 'zip')
|
52
|
+
old_attachments_dir = File.expand_path(tmp_dir.join(oldid.to_s))
|
53
53
|
|
54
|
-
|
55
|
-
|
56
|
-
|
54
|
+
# Ensure once the path is expanded it's still within the expected
|
55
|
+
# tmp directory to prevent unauthorized access to other dirs
|
56
|
+
next unless old_attachments_dir.starts_with?(tmp_dir.to_s) && File.directory?(old_attachments_dir)
|
57
|
+
|
58
|
+
FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
|
59
|
+
|
60
|
+
Dir.glob(Pathname.new(old_attachments_dir).join('*')).each do |attachment|
|
61
|
+
FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
|
57
62
|
end
|
58
63
|
end
|
59
64
|
logger.info { 'Done.' }
|
@@ -105,7 +105,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
105
105
|
logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
|
106
106
|
|
107
107
|
new_text = item.send(text_attr).gsub(ATTACHMENT_URL) do |_|
|
108
|
-
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
|
108
|
+
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
|
109
109
|
end
|
110
110
|
item.send(text_attr.to_s + "=", new_text)
|
111
111
|
|
@@ -121,7 +121,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
121
121
|
evidence.issue_id = lookup_table[:issues][evidence.issue_id.to_s]
|
122
122
|
|
123
123
|
new_content = evidence.content.gsub(ATTACHMENT_URL) do |_|
|
124
|
-
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
|
124
|
+
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
|
125
125
|
end
|
126
126
|
evidence.content = new_content
|
127
127
|
|
@@ -289,7 +289,12 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
289
289
|
node = parse_node(xml_node)
|
290
290
|
|
291
291
|
# keep track of reassigned ids
|
292
|
-
|
292
|
+
# Convert the id to an integer as it has no place being a string, or
|
293
|
+
# directory path. We later use this ID to build a directory structure
|
294
|
+
# to place attachments and without validation opens the potential for
|
295
|
+
# path traversal.
|
296
|
+
node_original_id = Integer(xml_node.at_xpath('id').text.strip)
|
297
|
+
lookup_table[:nodes][node_original_id] = node.id
|
293
298
|
end
|
294
299
|
|
295
300
|
logger.info { 'Done.' }
|
@@ -131,7 +131,7 @@ module Dradis::Plugins::Projects::Upload::V3
|
|
131
131
|
xml_node_id = xml_board.at_xpath('node_id').try(:text)
|
132
132
|
node_id =
|
133
133
|
if xml_node_id.present?
|
134
|
-
lookup_table[:nodes][xml_node_id]
|
134
|
+
lookup_table[:nodes][xml_node_id.to_i]
|
135
135
|
else
|
136
136
|
project.methodology_library.id
|
137
137
|
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<dradis-template version="1">
|
3
|
+
<nodes>
|
4
|
+
<node>
|
5
|
+
<id>../../../../../../tmp</id>
|
6
|
+
<label>Node 1</label>
|
7
|
+
<parent-id/>
|
8
|
+
<position>0</position>
|
9
|
+
<properties><![CDATA[{
|
10
|
+
}]]></properties>
|
11
|
+
<type-id>1</type-id>
|
12
|
+
</node>
|
13
|
+
</nodes>
|
14
|
+
</dradis-template>
|
@@ -1,15 +1,17 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'rails_helper'
|
2
4
|
|
3
5
|
describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
|
4
|
-
|
5
6
|
let(:project) { create(:project) }
|
6
7
|
let(:user) { create(:user) }
|
7
8
|
let(:importer_class) { Dradis::Plugins::Projects::Upload::Template }
|
8
|
-
let(:file_path) {
|
9
|
-
File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
|
10
|
-
}
|
11
9
|
|
12
10
|
context 'uploading a template with attachments url' do
|
11
|
+
let(:file_path) do
|
12
|
+
File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
|
13
|
+
end
|
14
|
+
|
13
15
|
it 'converts the urls' do
|
14
16
|
importer = importer_class::Importer.new(
|
15
17
|
default_user_id: user.id,
|
@@ -30,4 +32,20 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
|
|
30
32
|
)
|
31
33
|
end
|
32
34
|
end
|
35
|
+
|
36
|
+
context 'uploading a template malformed paths as ids' do
|
37
|
+
let(:file_path) do
|
38
|
+
File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'malformed_ids.xml')
|
39
|
+
end
|
40
|
+
|
41
|
+
it 'returns false' do
|
42
|
+
importer = importer_class::Importer.new(
|
43
|
+
default_user_id: user.id,
|
44
|
+
plugin: importer_class,
|
45
|
+
project_id: project.id
|
46
|
+
)
|
47
|
+
|
48
|
+
expect(importer.import(file: file_path)).to be false
|
49
|
+
end
|
50
|
+
end
|
33
51
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dradis-projects
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 4.1.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Daniel Martin
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-12-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
19
|
+
version: '2.2'
|
20
20
|
type: :development
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
26
|
+
version: '2.2'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: combustion
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -72,14 +72,14 @@ dependencies:
|
|
72
72
|
requirements:
|
73
73
|
- - "~>"
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version: '
|
75
|
+
version: '4.0'
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version: '
|
82
|
+
version: '4.0'
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: rubyzip
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -105,6 +105,7 @@ files:
|
|
105
105
|
- ".gitignore"
|
106
106
|
- ".ruby-version"
|
107
107
|
- CHANGELOG.md
|
108
|
+
- CHANGELOG.template
|
108
109
|
- CONTRIBUTING.md
|
109
110
|
- Gemfile
|
110
111
|
- LICENSE
|
@@ -133,6 +134,7 @@ files:
|
|
133
134
|
- lib/dradis/plugins/projects/version.rb
|
134
135
|
- lib/tasks/thorfile.rb
|
135
136
|
- spec/fixtures/files/attachments_url.xml
|
137
|
+
- spec/fixtures/files/malformed_ids.xml
|
136
138
|
- spec/fixtures/files/with_comments.xml
|
137
139
|
- spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
|
138
140
|
- spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
|
@@ -141,7 +143,7 @@ homepage: http://dradisframework.org
|
|
141
143
|
licenses:
|
142
144
|
- GPL-2
|
143
145
|
metadata: {}
|
144
|
-
post_install_message:
|
146
|
+
post_install_message:
|
145
147
|
rdoc_options: []
|
146
148
|
require_paths:
|
147
149
|
- lib
|
@@ -156,12 +158,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
156
158
|
- !ruby/object:Gem::Version
|
157
159
|
version: '0'
|
158
160
|
requirements: []
|
159
|
-
rubygems_version: 3.2.
|
160
|
-
signing_key:
|
161
|
+
rubygems_version: 3.2.28
|
162
|
+
signing_key:
|
161
163
|
specification_version: 4
|
162
164
|
summary: Project export/upload for the Dradis Framework.
|
163
165
|
test_files:
|
164
166
|
- spec/fixtures/files/attachments_url.xml
|
167
|
+
- spec/fixtures/files/malformed_ids.xml
|
165
168
|
- spec/fixtures/files/with_comments.xml
|
166
169
|
- spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
|
167
170
|
- spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
|