dradis-projects 4.1.2.1 → 4.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/dradis/plugins/projects/gem_version.rb +3 -3
- data/lib/dradis/plugins/projects/upload/v1/template.rb +20 -13
- data/lib/dradis/plugins/projects/upload/v3/template.rb +6 -4
- data/spec/fixtures/files/missing_node.xml +11 -0
- data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb +25 -0
- metadata +5 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a948d2f65162d64285169d7f6107ee635f18a16b2d3b7d48b7cc27cd3f1bbf0a
|
4
|
+
data.tar.gz: 9bbffaebfc9dc1e2d7eddd85ec2182ee2fe621185ce03b67783c6113a078be43
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0a1557060a75f871e08733097f109712ca2f0998180dd89c8a93b3f94dba4e054991d3b71ba8f6be616a17717070df2ffef363a78e5cb5d8c5faee4b26abb42a
|
7
|
+
data.tar.gz: f4368d8b867ad79c931977866278e48db0833d50490030da00c67740732afa68ffaac0d24dd7f3439c66649680e40706a41cd7606a8a576ecc38cf71b6a072ca
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
v4.2.0 (February 2022)
|
2
|
+
- Bugs fixes:
|
3
|
+
- Fix missing nodes for attachments during template and package imports
|
4
|
+
- Fix missing parent nodes during template and package imports
|
5
|
+
|
1
6
|
v4.1.2.1 (December 2021)
|
2
7
|
- Security Fixes:
|
3
8
|
- High: Authenticated author path traversal
|
@@ -104,9 +104,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
104
104
|
|
105
105
|
logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
|
106
106
|
|
107
|
-
new_text = item.send(text_attr)
|
108
|
-
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
|
109
|
-
end
|
107
|
+
new_text = update_attachment_references(item.send(text_attr))
|
110
108
|
item.send(text_attr.to_s + "=", new_text)
|
111
109
|
|
112
110
|
raise "Couldn't save note attachment URL for #{item.class.name} ##{item.id}" unless validate_and_save(item)
|
@@ -118,12 +116,9 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
118
116
|
def finalize_evidence
|
119
117
|
pending_changes[:evidence].each_with_index do |evidence, i|
|
120
118
|
logger.info { "Setting issue_id for evidence" }
|
121
|
-
evidence.issue_id = lookup_table[:issues][evidence.issue_id
|
119
|
+
evidence.issue_id = lookup_table[:issues][evidence.issue_id]
|
122
120
|
|
123
|
-
|
124
|
-
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
|
125
|
-
end
|
126
|
-
evidence.content = new_content
|
121
|
+
evidence.content = update_attachment_references(evidence.content)
|
127
122
|
|
128
123
|
raise "Couldn't save Evidence :issue_id / attachment URL Evidence ##{evidence.id}" unless validate_and_save(evidence)
|
129
124
|
|
@@ -141,7 +136,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
141
136
|
def finalize_nodes
|
142
137
|
pending_changes[:orphan_nodes].each do |node|
|
143
138
|
logger.info { "Finding parent for orphaned node: #{node.label}. Former parent was #{node.parent_id}" }
|
144
|
-
node.parent_id = lookup_table[:nodes][node.parent_id
|
139
|
+
node.parent_id = lookup_table[:nodes][node.parent_id]
|
145
140
|
raise "Couldn't save node parent for Node ##{node.id}" unless validate_and_save(node)
|
146
141
|
end
|
147
142
|
end
|
@@ -153,7 +148,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
153
148
|
logger.info { 'Processing Categories...' }
|
154
149
|
|
155
150
|
template.xpath('dradis-template/categories/category').each do |xml_category|
|
156
|
-
old_id = xml_category.at_xpath('id').text.strip
|
151
|
+
old_id = Integer(xml_category.at_xpath('id').text.strip)
|
157
152
|
name = xml_category.at_xpath('name').text.strip
|
158
153
|
category = nil
|
159
154
|
|
@@ -183,7 +178,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
183
178
|
pending_changes[:attachment_notes] << issue
|
184
179
|
end
|
185
180
|
|
186
|
-
old_id = xml_issue.at_xpath('id').text.strip
|
181
|
+
old_id = Integer(xml_issue.at_xpath('id').text.strip)
|
187
182
|
lookup_table[:issues][old_id] = issue.id
|
188
183
|
logger.info{ "New issue detected: #{issue.title}" }
|
189
184
|
end
|
@@ -331,7 +326,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
331
326
|
xml_node.xpath('notes/note').each do |xml_note|
|
332
327
|
|
333
328
|
if xml_note.at_xpath('author') != nil
|
334
|
-
old_id = xml_note.at_xpath('category-id').text.strip
|
329
|
+
old_id = Integer(xml_note.at_xpath('category-id').text.strip)
|
335
330
|
new_id = lookup_table[:categories][old_id]
|
336
331
|
|
337
332
|
created_at = xml_note.at_xpath('created-at')
|
@@ -375,7 +370,7 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
375
370
|
logger.info { "New tag detected: #{name}" }
|
376
371
|
|
377
372
|
xml_tag.xpath('./taggings/tagging').each do |xml_tagging|
|
378
|
-
old_taggable_id = xml_tagging.at_xpath('taggable-id').text()
|
373
|
+
old_taggable_id = Integer(xml_tagging.at_xpath('taggable-id').text())
|
379
374
|
taggable_type = xml_tagging.at_xpath('taggable-type').text()
|
380
375
|
|
381
376
|
new_taggable_id = case taggable_type
|
@@ -399,6 +394,18 @@ module Dradis::Plugins::Projects::Upload::V1
|
|
399
394
|
end
|
400
395
|
end
|
401
396
|
|
397
|
+
def update_attachment_references(string)
|
398
|
+
string.gsub(ATTACHMENT_URL) do |attachment|
|
399
|
+
node_id = lookup_table[:nodes][$2.to_i]
|
400
|
+
if node_id
|
401
|
+
"!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, node_id, $3]
|
402
|
+
else
|
403
|
+
logger.error { "The attachment wasn't included in the package: #{attachment}" }
|
404
|
+
attachment
|
405
|
+
end
|
406
|
+
end
|
407
|
+
end
|
408
|
+
|
402
409
|
def user_id_for_email(email)
|
403
410
|
users[email] || @default_user_id
|
404
411
|
end
|
@@ -94,7 +94,7 @@ module Dradis::Plugins::Projects::Upload::V3
|
|
94
94
|
card = list.cards.create name: xml_card.at_xpath('name').text,
|
95
95
|
description: xml_card.at_xpath('description').text,
|
96
96
|
due_date: due_date,
|
97
|
-
previous_id: xml_card.at_xpath('previous_id').text
|
97
|
+
previous_id: xml_card.at_xpath('previous_id').text&.to_i
|
98
98
|
|
99
99
|
xml_card.xpath('activities/activity').each do |xml_activity|
|
100
100
|
raise "Couldn't create activity for Card ##{card.id}" unless create_activity(card, xml_activity)
|
@@ -106,7 +106,8 @@ module Dradis::Plugins::Projects::Upload::V3
|
|
106
106
|
|
107
107
|
raise "Couldn't create comments for Card ##{card.id}" unless create_comments(card, xml_card.xpath('comments/comment'))
|
108
108
|
|
109
|
-
|
109
|
+
xml_id = Integer(xml_card.at_xpath('id').text)
|
110
|
+
lookup_table[:cards][xml_id] = card.id
|
110
111
|
pending_changes[:cards] << card
|
111
112
|
end
|
112
113
|
|
@@ -143,9 +144,10 @@ module Dradis::Plugins::Projects::Upload::V3
|
|
143
144
|
|
144
145
|
xml_board.xpath('./list').each do |xml_list|
|
145
146
|
list = board.lists.create name: xml_list.at_xpath('name').text,
|
146
|
-
previous_id: xml_list.at_xpath('previous_id').text
|
147
|
+
previous_id: xml_list.at_xpath('previous_id').text&.to_i
|
148
|
+
xml_id = Integer(xml_list.at_xpath('id').text)
|
147
149
|
|
148
|
-
lookup_table[:lists][
|
150
|
+
lookup_table[:lists][xml_id] = list.id
|
149
151
|
pending_changes[:lists] << list
|
150
152
|
|
151
153
|
xml_list.xpath('./card').each do |xml_card|
|
@@ -0,0 +1,11 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<dradis-template version="2">
|
3
|
+
<nodes><node><id>5</id><label>Uploaded files</label><parent-id/><position>0</position><properties><![CDATA[{}]]></properties><type-id>0</type-id><notes></notes><evidence></evidence><activities></activities></node></nodes>
|
4
|
+
<issues><issue><id>2</id><author>admin@securityroots.com</author><text><![CDATA[#[Title]#
|
5
|
+
Test Issue
|
6
|
+
|
7
|
+
#[Description]#
|
8
|
+
!/pro/projects/222/nodes/12345/attachments/hello.jpg!
|
9
|
+
|
10
|
+
]]></text><activities></activities><comments></comments></issue></issues>
|
11
|
+
</dradis-template>
|
@@ -48,4 +48,29 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
|
|
48
48
|
expect(importer.import(file: file_path)).to be false
|
49
49
|
end
|
50
50
|
end
|
51
|
+
|
52
|
+
context 'uploading a template with attachment but missing node' do
|
53
|
+
let(:file_path) do
|
54
|
+
File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'missing_node.xml')
|
55
|
+
end
|
56
|
+
|
57
|
+
it 'does not modify the attachment' do
|
58
|
+
logger = double('logger')
|
59
|
+
allow(logger).to receive_messages(debug: nil, error: nil, fatal: nil, info: nil)
|
60
|
+
expect(logger).to receive(:error).once
|
61
|
+
|
62
|
+
importer = importer_class::Importer.new(
|
63
|
+
default_user_id: user.id,
|
64
|
+
logger: logger,
|
65
|
+
plugin: importer_class,
|
66
|
+
project_id: project.id
|
67
|
+
)
|
68
|
+
|
69
|
+
importer.import(file: file_path)
|
70
|
+
|
71
|
+
expect(project.issues.first.text).to include(
|
72
|
+
"!/pro/projects/222/nodes/12345/attachments/hello.jpg!"
|
73
|
+
)
|
74
|
+
end
|
75
|
+
end
|
51
76
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dradis-projects
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Daniel Martin
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -135,6 +135,7 @@ files:
|
|
135
135
|
- lib/tasks/thorfile.rb
|
136
136
|
- spec/fixtures/files/attachments_url.xml
|
137
137
|
- spec/fixtures/files/malformed_ids.xml
|
138
|
+
- spec/fixtures/files/missing_node.xml
|
138
139
|
- spec/fixtures/files/with_comments.xml
|
139
140
|
- spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
|
140
141
|
- spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
|
@@ -158,13 +159,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
158
159
|
- !ruby/object:Gem::Version
|
159
160
|
version: '0'
|
160
161
|
requirements: []
|
161
|
-
rubygems_version: 3.
|
162
|
+
rubygems_version: 3.1.4
|
162
163
|
signing_key:
|
163
164
|
specification_version: 4
|
164
165
|
summary: Project export/upload for the Dradis Framework.
|
165
166
|
test_files:
|
166
167
|
- spec/fixtures/files/attachments_url.xml
|
167
168
|
- spec/fixtures/files/malformed_ids.xml
|
169
|
+
- spec/fixtures/files/missing_node.xml
|
168
170
|
- spec/fixtures/files/with_comments.xml
|
169
171
|
- spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
|
170
172
|
- spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
|