dradis-projects 4.1.2.1 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 68ddaed8e020a33f06c7dd722bbb0502f7598a76eaf61a0f2c4a05716ebbf2be
-  data.tar.gz: 66d06ddd0941b6eaa9ab7b1839af76620b2e764cf25ce0cc90778a91ecfe003b
+  metadata.gz: a948d2f65162d64285169d7f6107ee635f18a16b2d3b7d48b7cc27cd3f1bbf0a
+  data.tar.gz: 9bbffaebfc9dc1e2d7eddd85ec2182ee2fe621185ce03b67783c6113a078be43
 SHA512:
-  metadata.gz: 7d3b899c0aa7a605c47fdc85d52baea5b966a94392f123a835495a14ae05ba8a6637e37a2dd74cfa76458b19f12a1013979afed7a191e1ea95c6ff5e1015ccb7
-  data.tar.gz: 8d84010325dfadaa0d51ef0ae3e45e27d049bcd7ed0a0754d1c3c605b7598c2bbc78e3dc7306b600a09e5ad77a4c208c170aa27fcd4c9d2c44c00093afff5cb6
+  metadata.gz: 0a1557060a75f871e08733097f109712ca2f0998180dd89c8a93b3f94dba4e054991d3b71ba8f6be616a17717070df2ffef363a78e5cb5d8c5faee4b26abb42a
+  data.tar.gz: f4368d8b867ad79c931977866278e48db0833d50490030da00c67740732afa68ffaac0d24dd7f3439c66649680e40706a41cd7606a8a576ecc38cf71b6a072ca

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+v4.2.0 (February 2022)
+  - Bugs fixes:
+    - Fix missing nodes for attachments during template and package imports
+    - Fix missing parent nodes during template and package imports
+
 v4.1.2.1 (December 2021)
   - Security Fixes:
     - High: Authenticated author path traversal

data/lib/dradis/plugins/projects/gem_version.rb

@@ -8,9 +8,9 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 1
-        TINY = 2
-        PRE = 1
+        MINOR = 2
+        TINY = 0
+        PRE = nil
 
         STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
       end

data/lib/dradis/plugins/projects/upload/v1/template.rb

@@ -104,9 +104,7 @@ module Dradis::Plugins::Projects::Upload::V1
 
           logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
 
-          new_text = item.send(text_attr).gsub(ATTACHMENT_URL) do |_|
-            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
-          end
+          new_text = update_attachment_references(item.send(text_attr))
           item.send(text_attr.to_s + "=", new_text)
 
           raise "Couldn't save note attachment URL for #{item.class.name} ##{item.id}" unless validate_and_save(item)
@@ -118,12 +116,9 @@ module Dradis::Plugins::Projects::Upload::V1
       def finalize_evidence
         pending_changes[:evidence].each_with_index do |evidence, i|
           logger.info { "Setting issue_id for evidence" }
-          evidence.issue_id = lookup_table[:issues][evidence.issue_id.to_s]
+          evidence.issue_id = lookup_table[:issues][evidence.issue_id]
 
-          new_content = evidence.content.gsub(ATTACHMENT_URL) do |_|
-            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
-          end
-          evidence.content = new_content
+          evidence.content = update_attachment_references(evidence.content)
 
           raise "Couldn't save Evidence :issue_id / attachment URL Evidence ##{evidence.id}" unless validate_and_save(evidence)
 
@@ -141,7 +136,7 @@ module Dradis::Plugins::Projects::Upload::V1
       def finalize_nodes
         pending_changes[:orphan_nodes].each do |node|
           logger.info { "Finding parent for orphaned node: #{node.label}. Former parent was #{node.parent_id}" }
-          node.parent_id = lookup_table[:nodes][node.parent_id.to_s]
+          node.parent_id = lookup_table[:nodes][node.parent_id]
           raise "Couldn't save node parent for Node ##{node.id}" unless validate_and_save(node)
         end
       end
@@ -153,7 +148,7 @@ module Dradis::Plugins::Projects::Upload::V1
         logger.info { 'Processing Categories...' }
 
         template.xpath('dradis-template/categories/category').each do |xml_category|
-          old_id   = xml_category.at_xpath('id').text.strip
+          old_id   = Integer(xml_category.at_xpath('id').text.strip)
           name     = xml_category.at_xpath('name').text.strip
           category = nil
 
@@ -183,7 +178,7 @@ module Dradis::Plugins::Projects::Upload::V1
             pending_changes[:attachment_notes] << issue
           end
 
-          old_id = xml_issue.at_xpath('id').text.strip
+          old_id = Integer(xml_issue.at_xpath('id').text.strip)
           lookup_table[:issues][old_id] = issue.id
           logger.info{ "New issue detected: #{issue.title}" }
         end
@@ -331,7 +326,7 @@ module Dradis::Plugins::Projects::Upload::V1
         xml_node.xpath('notes/note').each do |xml_note|
 
           if xml_note.at_xpath('author') != nil
-            old_id = xml_note.at_xpath('category-id').text.strip
+            old_id = Integer(xml_note.at_xpath('category-id').text.strip)
             new_id = lookup_table[:categories][old_id]
 
             created_at = xml_note.at_xpath('created-at')
@@ -375,7 +370,7 @@ module Dradis::Plugins::Projects::Upload::V1
           logger.info { "New tag detected: #{name}" }
 
           xml_tag.xpath('./taggings/tagging').each do |xml_tagging|
-            old_taggable_id = xml_tagging.at_xpath('taggable-id').text()
+            old_taggable_id = Integer(xml_tagging.at_xpath('taggable-id').text())
             taggable_type   = xml_tagging.at_xpath('taggable-type').text()
 
             new_taggable_id = case taggable_type
@@ -399,6 +394,18 @@ module Dradis::Plugins::Projects::Upload::V1
         end
       end
 
+      def update_attachment_references(string)
+        string.gsub(ATTACHMENT_URL) do |attachment|
+          node_id = lookup_table[:nodes][$2.to_i]
+          if node_id
+            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, node_id, $3]
+          else
+            logger.error { "The attachment wasn't included in the package: #{attachment}" }
+            attachment
+          end
+        end
+      end
+
       def user_id_for_email(email)
         users[email] || @default_user_id
       end

data/lib/dradis/plugins/projects/upload/v3/template.rb

@@ -94,7 +94,7 @@ module Dradis::Plugins::Projects::Upload::V3
         card = list.cards.create name: xml_card.at_xpath('name').text,
           description: xml_card.at_xpath('description').text,
           due_date: due_date,
-          previous_id: xml_card.at_xpath('previous_id').text
+          previous_id: xml_card.at_xpath('previous_id').text&.to_i
 
         xml_card.xpath('activities/activity').each do |xml_activity|
           raise "Couldn't create activity for Card ##{card.id}" unless create_activity(card, xml_activity)
@@ -106,7 +106,8 @@ module Dradis::Plugins::Projects::Upload::V3
 
         raise "Couldn't create comments for Card ##{card.id}" unless create_comments(card, xml_card.xpath('comments/comment'))
 
-        lookup_table[:cards][xml_card.at_xpath('id').text.to_i] = card.id
+        xml_id = Integer(xml_card.at_xpath('id').text)
+        lookup_table[:cards][xml_id] = card.id
         pending_changes[:cards] << card
       end
 
@@ -143,9 +144,10 @@ module Dradis::Plugins::Projects::Upload::V3
 
           xml_board.xpath('./list').each do |xml_list|
             list = board.lists.create name: xml_list.at_xpath('name').text,
-              previous_id: xml_list.at_xpath('previous_id').text
+              previous_id: xml_list.at_xpath('previous_id').text&.to_i
+            xml_id = Integer(xml_list.at_xpath('id').text)
 
-            lookup_table[:lists][xml_list.at_xpath('id').text.to_i] = list.id
+            lookup_table[:lists][xml_id] = list.id
             pending_changes[:lists] << list
 
             xml_list.xpath('./card').each do |xml_card|

data/spec/fixtures/files/missing_node.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dradis-template version="2">
+<nodes><node><id>5</id><label>Uploaded files</label><parent-id/><position>0</position><properties><![CDATA[{}]]></properties><type-id>0</type-id><notes></notes><evidence></evidence><activities></activities></node></nodes>
+<issues><issue><id>2</id><author>admin@securityroots.com</author><text><![CDATA[#[Title]#
+Test Issue
+
+#[Description]#
+!/pro/projects/222/nodes/12345/attachments/hello.jpg!
+
+  ]]></text><activities></activities><comments></comments></issue></issues>
+</dradis-template>

data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb

@@ -48,4 +48,29 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
       expect(importer.import(file: file_path)).to be false
     end
   end
+
+  context 'uploading a template with attachment but missing node' do
+    let(:file_path) do
+      File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'missing_node.xml')
+    end
+
+    it 'does not modify the attachment' do
+      logger = double('logger')
+      allow(logger).to receive_messages(debug: nil, error: nil, fatal: nil, info: nil)
+      expect(logger).to receive(:error).once
+
+      importer = importer_class::Importer.new(
+        default_user_id: user.id,
+        logger: logger,
+        plugin: importer_class,
+        project_id: project.id
+      )
+
+      importer.import(file: file_path)
+
+      expect(project.issues.first.text).to include(
+        "!/pro/projects/222/nodes/12345/attachments/hello.jpg!"
+      )
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-projects
 version: !ruby/object:Gem::Version
-  version: 4.1.2.1
+  version: 4.2.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-12-22 00:00:00.000000000 Z
+date: 2022-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -135,6 +135,7 @@ files:
 - lib/tasks/thorfile.rb
 - spec/fixtures/files/attachments_url.xml
 - spec/fixtures/files/malformed_ids.xml
+- spec/fixtures/files/missing_node.xml
 - spec/fixtures/files/with_comments.xml
 - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
 - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
@@ -158,13 +159,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.28
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Project export/upload for the Dradis Framework.
 test_files:
 - spec/fixtures/files/attachments_url.xml
 - spec/fixtures/files/malformed_ids.xml
+- spec/fixtures/files/missing_node.xml
 - spec/fixtures/files/with_comments.xml
 - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
 - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb