dradis-projects 4.1.2.1 → 4.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/dradis/plugins/projects/gem_version.rb +3 -3
- data/lib/dradis/plugins/projects/upload/v1/template.rb +20 -13
- data/lib/dradis/plugins/projects/upload/v3/template.rb +6 -4
- data/spec/fixtures/files/missing_node.xml +11 -0
- data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb +25 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a948d2f65162d64285169d7f6107ee635f18a16b2d3b7d48b7cc27cd3f1bbf0a
|
|
4
|
+
data.tar.gz: 9bbffaebfc9dc1e2d7eddd85ec2182ee2fe621185ce03b67783c6113a078be43
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0a1557060a75f871e08733097f109712ca2f0998180dd89c8a93b3f94dba4e054991d3b71ba8f6be616a17717070df2ffef363a78e5cb5d8c5faee4b26abb42a
|
|
7
|
+
data.tar.gz: f4368d8b867ad79c931977866278e48db0833d50490030da00c67740732afa68ffaac0d24dd7f3439c66649680e40706a41cd7606a8a576ecc38cf71b6a072ca
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
v4.2.0 (February 2022)
|
|
2
|
+
- Bugs fixes:
|
|
3
|
+
- Fix missing nodes for attachments during template and package imports
|
|
4
|
+
- Fix missing parent nodes during template and package imports
|
|
5
|
+
|
|
1
6
|
v4.1.2.1 (December 2021)
|
|
2
7
|
- Security Fixes:
|
|
3
8
|
- High: Authenticated author path traversal
|
|
@@ -104,9 +104,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
104
104
|
|
|
105
105
|
logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
|
|
106
106
|
|
|
107
|
-
new_text = item.send(text_attr)
|
|
108
|
-
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
|
|
109
|
-
end
|
|
107
|
+
new_text = update_attachment_references(item.send(text_attr))
|
|
110
108
|
item.send(text_attr.to_s + "=", new_text)
|
|
111
109
|
|
|
112
110
|
raise "Couldn't save note attachment URL for #{item.class.name} ##{item.id}" unless validate_and_save(item)
|
|
@@ -118,12 +116,9 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
118
116
|
def finalize_evidence
|
|
119
117
|
pending_changes[:evidence].each_with_index do |evidence, i|
|
|
120
118
|
logger.info { "Setting issue_id for evidence" }
|
|
121
|
-
evidence.issue_id = lookup_table[:issues][evidence.issue_id
|
|
119
|
+
evidence.issue_id = lookup_table[:issues][evidence.issue_id]
|
|
122
120
|
|
|
123
|
-
|
|
124
|
-
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
|
|
125
|
-
end
|
|
126
|
-
evidence.content = new_content
|
|
121
|
+
evidence.content = update_attachment_references(evidence.content)
|
|
127
122
|
|
|
128
123
|
raise "Couldn't save Evidence :issue_id / attachment URL Evidence ##{evidence.id}" unless validate_and_save(evidence)
|
|
129
124
|
|
|
@@ -141,7 +136,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
141
136
|
def finalize_nodes
|
|
142
137
|
pending_changes[:orphan_nodes].each do |node|
|
|
143
138
|
logger.info { "Finding parent for orphaned node: #{node.label}. Former parent was #{node.parent_id}" }
|
|
144
|
-
node.parent_id = lookup_table[:nodes][node.parent_id
|
|
139
|
+
node.parent_id = lookup_table[:nodes][node.parent_id]
|
|
145
140
|
raise "Couldn't save node parent for Node ##{node.id}" unless validate_and_save(node)
|
|
146
141
|
end
|
|
147
142
|
end
|
|
@@ -153,7 +148,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
153
148
|
logger.info { 'Processing Categories...' }
|
|
154
149
|
|
|
155
150
|
template.xpath('dradis-template/categories/category').each do |xml_category|
|
|
156
|
-
old_id = xml_category.at_xpath('id').text.strip
|
|
151
|
+
old_id = Integer(xml_category.at_xpath('id').text.strip)
|
|
157
152
|
name = xml_category.at_xpath('name').text.strip
|
|
158
153
|
category = nil
|
|
159
154
|
|
|
@@ -183,7 +178,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
183
178
|
pending_changes[:attachment_notes] << issue
|
|
184
179
|
end
|
|
185
180
|
|
|
186
|
-
old_id = xml_issue.at_xpath('id').text.strip
|
|
181
|
+
old_id = Integer(xml_issue.at_xpath('id').text.strip)
|
|
187
182
|
lookup_table[:issues][old_id] = issue.id
|
|
188
183
|
logger.info{ "New issue detected: #{issue.title}" }
|
|
189
184
|
end
|
|
@@ -331,7 +326,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
331
326
|
xml_node.xpath('notes/note').each do |xml_note|
|
|
332
327
|
|
|
333
328
|
if xml_note.at_xpath('author') != nil
|
|
334
|
-
old_id = xml_note.at_xpath('category-id').text.strip
|
|
329
|
+
old_id = Integer(xml_note.at_xpath('category-id').text.strip)
|
|
335
330
|
new_id = lookup_table[:categories][old_id]
|
|
336
331
|
|
|
337
332
|
created_at = xml_note.at_xpath('created-at')
|
|
@@ -375,7 +370,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
375
370
|
logger.info { "New tag detected: #{name}" }
|
|
376
371
|
|
|
377
372
|
xml_tag.xpath('./taggings/tagging').each do |xml_tagging|
|
|
378
|
-
old_taggable_id = xml_tagging.at_xpath('taggable-id').text()
|
|
373
|
+
old_taggable_id = Integer(xml_tagging.at_xpath('taggable-id').text())
|
|
379
374
|
taggable_type = xml_tagging.at_xpath('taggable-type').text()
|
|
380
375
|
|
|
381
376
|
new_taggable_id = case taggable_type
|
|
@@ -399,6 +394,18 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
|
399
394
|
end
|
|
400
395
|
end
|
|
401
396
|
|
|
397
|
+
def update_attachment_references(string)
|
|
398
|
+
string.gsub(ATTACHMENT_URL) do |attachment|
|
|
399
|
+
node_id = lookup_table[:nodes][$2.to_i]
|
|
400
|
+
if node_id
|
|
401
|
+
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, node_id, $3]
|
|
402
|
+
else
|
|
403
|
+
logger.error { "The attachment wasn't included in the package: #{attachment}" }
|
|
404
|
+
attachment
|
|
405
|
+
end
|
|
406
|
+
end
|
|
407
|
+
end
|
|
408
|
+
|
|
402
409
|
def user_id_for_email(email)
|
|
403
410
|
users[email] || @default_user_id
|
|
404
411
|
end
|
|
@@ -94,7 +94,7 @@ module Dradis::Plugins::Projects::Upload::V3
|
|
|
94
94
|
card = list.cards.create name: xml_card.at_xpath('name').text,
|
|
95
95
|
description: xml_card.at_xpath('description').text,
|
|
96
96
|
due_date: due_date,
|
|
97
|
-
previous_id: xml_card.at_xpath('previous_id').text
|
|
97
|
+
previous_id: xml_card.at_xpath('previous_id').text&.to_i
|
|
98
98
|
|
|
99
99
|
xml_card.xpath('activities/activity').each do |xml_activity|
|
|
100
100
|
raise "Couldn't create activity for Card ##{card.id}" unless create_activity(card, xml_activity)
|
|
@@ -106,7 +106,8 @@ module Dradis::Plugins::Projects::Upload::V3
|
|
|
106
106
|
|
|
107
107
|
raise "Couldn't create comments for Card ##{card.id}" unless create_comments(card, xml_card.xpath('comments/comment'))
|
|
108
108
|
|
|
109
|
-
|
|
109
|
+
xml_id = Integer(xml_card.at_xpath('id').text)
|
|
110
|
+
lookup_table[:cards][xml_id] = card.id
|
|
110
111
|
pending_changes[:cards] << card
|
|
111
112
|
end
|
|
112
113
|
|
|
@@ -143,9 +144,10 @@ module Dradis::Plugins::Projects::Upload::V3
|
|
|
143
144
|
|
|
144
145
|
xml_board.xpath('./list').each do |xml_list|
|
|
145
146
|
list = board.lists.create name: xml_list.at_xpath('name').text,
|
|
146
|
-
previous_id: xml_list.at_xpath('previous_id').text
|
|
147
|
+
previous_id: xml_list.at_xpath('previous_id').text&.to_i
|
|
148
|
+
xml_id = Integer(xml_list.at_xpath('id').text)
|
|
147
149
|
|
|
148
|
-
lookup_table[:lists][
|
|
150
|
+
lookup_table[:lists][xml_id] = list.id
|
|
149
151
|
pending_changes[:lists] << list
|
|
150
152
|
|
|
151
153
|
xml_list.xpath('./card').each do |xml_card|
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
<dradis-template version="2">
|
|
3
|
+
<nodes><node><id>5</id><label>Uploaded files</label><parent-id/><position>0</position><properties><![CDATA[{}]]></properties><type-id>0</type-id><notes></notes><evidence></evidence><activities></activities></node></nodes>
|
|
4
|
+
<issues><issue><id>2</id><author>admin@securityroots.com</author><text><![CDATA[#[Title]#
|
|
5
|
+
Test Issue
|
|
6
|
+
|
|
7
|
+
#[Description]#
|
|
8
|
+
!/pro/projects/222/nodes/12345/attachments/hello.jpg!
|
|
9
|
+
|
|
10
|
+
]]></text><activities></activities><comments></comments></issue></issues>
|
|
11
|
+
</dradis-template>
|
|
@@ -48,4 +48,29 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
|
|
|
48
48
|
expect(importer.import(file: file_path)).to be false
|
|
49
49
|
end
|
|
50
50
|
end
|
|
51
|
+
|
|
52
|
+
context 'uploading a template with attachment but missing node' do
|
|
53
|
+
let(:file_path) do
|
|
54
|
+
File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'missing_node.xml')
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
it 'does not modify the attachment' do
|
|
58
|
+
logger = double('logger')
|
|
59
|
+
allow(logger).to receive_messages(debug: nil, error: nil, fatal: nil, info: nil)
|
|
60
|
+
expect(logger).to receive(:error).once
|
|
61
|
+
|
|
62
|
+
importer = importer_class::Importer.new(
|
|
63
|
+
default_user_id: user.id,
|
|
64
|
+
logger: logger,
|
|
65
|
+
plugin: importer_class,
|
|
66
|
+
project_id: project.id
|
|
67
|
+
)
|
|
68
|
+
|
|
69
|
+
importer.import(file: file_path)
|
|
70
|
+
|
|
71
|
+
expect(project.issues.first.text).to include(
|
|
72
|
+
"!/pro/projects/222/nodes/12345/attachments/hello.jpg!"
|
|
73
|
+
)
|
|
74
|
+
end
|
|
75
|
+
end
|
|
51
76
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dradis-projects
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Daniel Martin
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-02-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -135,6 +135,7 @@ files:
|
|
|
135
135
|
- lib/tasks/thorfile.rb
|
|
136
136
|
- spec/fixtures/files/attachments_url.xml
|
|
137
137
|
- spec/fixtures/files/malformed_ids.xml
|
|
138
|
+
- spec/fixtures/files/missing_node.xml
|
|
138
139
|
- spec/fixtures/files/with_comments.xml
|
|
139
140
|
- spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
|
|
140
141
|
- spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
|
|
@@ -158,13 +159,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
158
159
|
- !ruby/object:Gem::Version
|
|
159
160
|
version: '0'
|
|
160
161
|
requirements: []
|
|
161
|
-
rubygems_version: 3.
|
|
162
|
+
rubygems_version: 3.1.4
|
|
162
163
|
signing_key:
|
|
163
164
|
specification_version: 4
|
|
164
165
|
summary: Project export/upload for the Dradis Framework.
|
|
165
166
|
test_files:
|
|
166
167
|
- spec/fixtures/files/attachments_url.xml
|
|
167
168
|
- spec/fixtures/files/malformed_ids.xml
|
|
169
|
+
- spec/fixtures/files/missing_node.xml
|
|
168
170
|
- spec/fixtures/files/with_comments.xml
|
|
169
171
|
- spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
|
|
170
172
|
- spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
|