dradis-projects 4.1.2.1 → 4.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 68ddaed8e020a33f06c7dd722bbb0502f7598a76eaf61a0f2c4a05716ebbf2be
4
- data.tar.gz: 66d06ddd0941b6eaa9ab7b1839af76620b2e764cf25ce0cc90778a91ecfe003b
3
+ metadata.gz: a948d2f65162d64285169d7f6107ee635f18a16b2d3b7d48b7cc27cd3f1bbf0a
4
+ data.tar.gz: 9bbffaebfc9dc1e2d7eddd85ec2182ee2fe621185ce03b67783c6113a078be43
5
5
  SHA512:
6
- metadata.gz: 7d3b899c0aa7a605c47fdc85d52baea5b966a94392f123a835495a14ae05ba8a6637e37a2dd74cfa76458b19f12a1013979afed7a191e1ea95c6ff5e1015ccb7
7
- data.tar.gz: 8d84010325dfadaa0d51ef0ae3e45e27d049bcd7ed0a0754d1c3c605b7598c2bbc78e3dc7306b600a09e5ad77a4c208c170aa27fcd4c9d2c44c00093afff5cb6
6
+ metadata.gz: 0a1557060a75f871e08733097f109712ca2f0998180dd89c8a93b3f94dba4e054991d3b71ba8f6be616a17717070df2ffef363a78e5cb5d8c5faee4b26abb42a
7
+ data.tar.gz: f4368d8b867ad79c931977866278e48db0833d50490030da00c67740732afa68ffaac0d24dd7f3439c66649680e40706a41cd7606a8a576ecc38cf71b6a072ca
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ v4.2.0 (February 2022)
2
+ - Bugs fixes:
3
+ - Fix missing nodes for attachments during template and package imports
4
+ - Fix missing parent nodes during template and package imports
5
+
1
6
  v4.1.2.1 (December 2021)
2
7
  - Security Fixes:
3
8
  - High: Authenticated author path traversal
@@ -8,9 +8,9 @@ module Dradis
8
8
 
9
9
  module VERSION
10
10
  MAJOR = 4
11
- MINOR = 1
12
- TINY = 2
13
- PRE = 1
11
+ MINOR = 2
12
+ TINY = 0
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -104,9 +104,7 @@ module Dradis::Plugins::Projects::Upload::V1
104
104
 
105
105
  logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
106
106
 
107
- new_text = item.send(text_attr).gsub(ATTACHMENT_URL) do |_|
108
- "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
109
- end
107
+ new_text = update_attachment_references(item.send(text_attr))
110
108
  item.send(text_attr.to_s + "=", new_text)
111
109
 
112
110
  raise "Couldn't save note attachment URL for #{item.class.name} ##{item.id}" unless validate_and_save(item)
@@ -118,12 +116,9 @@ module Dradis::Plugins::Projects::Upload::V1
118
116
  def finalize_evidence
119
117
  pending_changes[:evidence].each_with_index do |evidence, i|
120
118
  logger.info { "Setting issue_id for evidence" }
121
- evidence.issue_id = lookup_table[:issues][evidence.issue_id.to_s]
119
+ evidence.issue_id = lookup_table[:issues][evidence.issue_id]
122
120
 
123
- new_content = evidence.content.gsub(ATTACHMENT_URL) do |_|
124
- "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
125
- end
126
- evidence.content = new_content
121
+ evidence.content = update_attachment_references(evidence.content)
127
122
 
128
123
  raise "Couldn't save Evidence :issue_id / attachment URL Evidence ##{evidence.id}" unless validate_and_save(evidence)
129
124
 
@@ -141,7 +136,7 @@ module Dradis::Plugins::Projects::Upload::V1
141
136
  def finalize_nodes
142
137
  pending_changes[:orphan_nodes].each do |node|
143
138
  logger.info { "Finding parent for orphaned node: #{node.label}. Former parent was #{node.parent_id}" }
144
- node.parent_id = lookup_table[:nodes][node.parent_id.to_s]
139
+ node.parent_id = lookup_table[:nodes][node.parent_id]
145
140
  raise "Couldn't save node parent for Node ##{node.id}" unless validate_and_save(node)
146
141
  end
147
142
  end
@@ -153,7 +148,7 @@ module Dradis::Plugins::Projects::Upload::V1
153
148
  logger.info { 'Processing Categories...' }
154
149
 
155
150
  template.xpath('dradis-template/categories/category').each do |xml_category|
156
- old_id = xml_category.at_xpath('id').text.strip
151
+ old_id = Integer(xml_category.at_xpath('id').text.strip)
157
152
  name = xml_category.at_xpath('name').text.strip
158
153
  category = nil
159
154
 
@@ -183,7 +178,7 @@ module Dradis::Plugins::Projects::Upload::V1
183
178
  pending_changes[:attachment_notes] << issue
184
179
  end
185
180
 
186
- old_id = xml_issue.at_xpath('id').text.strip
181
+ old_id = Integer(xml_issue.at_xpath('id').text.strip)
187
182
  lookup_table[:issues][old_id] = issue.id
188
183
  logger.info{ "New issue detected: #{issue.title}" }
189
184
  end
@@ -331,7 +326,7 @@ module Dradis::Plugins::Projects::Upload::V1
331
326
  xml_node.xpath('notes/note').each do |xml_note|
332
327
 
333
328
  if xml_note.at_xpath('author') != nil
334
- old_id = xml_note.at_xpath('category-id').text.strip
329
+ old_id = Integer(xml_note.at_xpath('category-id').text.strip)
335
330
  new_id = lookup_table[:categories][old_id]
336
331
 
337
332
  created_at = xml_note.at_xpath('created-at')
@@ -375,7 +370,7 @@ module Dradis::Plugins::Projects::Upload::V1
375
370
  logger.info { "New tag detected: #{name}" }
376
371
 
377
372
  xml_tag.xpath('./taggings/tagging').each do |xml_tagging|
378
- old_taggable_id = xml_tagging.at_xpath('taggable-id').text()
373
+ old_taggable_id = Integer(xml_tagging.at_xpath('taggable-id').text())
379
374
  taggable_type = xml_tagging.at_xpath('taggable-type').text()
380
375
 
381
376
  new_taggable_id = case taggable_type
@@ -399,6 +394,18 @@ module Dradis::Plugins::Projects::Upload::V1
399
394
  end
400
395
  end
401
396
 
397
+ def update_attachment_references(string)
398
+ string.gsub(ATTACHMENT_URL) do |attachment|
399
+ node_id = lookup_table[:nodes][$2.to_i]
400
+ if node_id
401
+ "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, node_id, $3]
402
+ else
403
+ logger.error { "The attachment wasn't included in the package: #{attachment}" }
404
+ attachment
405
+ end
406
+ end
407
+ end
408
+
402
409
  def user_id_for_email(email)
403
410
  users[email] || @default_user_id
404
411
  end
@@ -94,7 +94,7 @@ module Dradis::Plugins::Projects::Upload::V3
94
94
  card = list.cards.create name: xml_card.at_xpath('name').text,
95
95
  description: xml_card.at_xpath('description').text,
96
96
  due_date: due_date,
97
- previous_id: xml_card.at_xpath('previous_id').text
97
+ previous_id: xml_card.at_xpath('previous_id').text&.to_i
98
98
 
99
99
  xml_card.xpath('activities/activity').each do |xml_activity|
100
100
  raise "Couldn't create activity for Card ##{card.id}" unless create_activity(card, xml_activity)
@@ -106,7 +106,8 @@ module Dradis::Plugins::Projects::Upload::V3
106
106
 
107
107
  raise "Couldn't create comments for Card ##{card.id}" unless create_comments(card, xml_card.xpath('comments/comment'))
108
108
 
109
- lookup_table[:cards][xml_card.at_xpath('id').text.to_i] = card.id
109
+ xml_id = Integer(xml_card.at_xpath('id').text)
110
+ lookup_table[:cards][xml_id] = card.id
110
111
  pending_changes[:cards] << card
111
112
  end
112
113
 
@@ -143,9 +144,10 @@ module Dradis::Plugins::Projects::Upload::V3
143
144
 
144
145
  xml_board.xpath('./list').each do |xml_list|
145
146
  list = board.lists.create name: xml_list.at_xpath('name').text,
146
- previous_id: xml_list.at_xpath('previous_id').text
147
+ previous_id: xml_list.at_xpath('previous_id').text&.to_i
148
+ xml_id = Integer(xml_list.at_xpath('id').text)
147
149
 
148
- lookup_table[:lists][xml_list.at_xpath('id').text.to_i] = list.id
150
+ lookup_table[:lists][xml_id] = list.id
149
151
  pending_changes[:lists] << list
150
152
 
151
153
  xml_list.xpath('./card').each do |xml_card|
@@ -0,0 +1,11 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <dradis-template version="2">
3
+ <nodes><node><id>5</id><label>Uploaded files</label><parent-id/><position>0</position><properties><![CDATA[{}]]></properties><type-id>0</type-id><notes></notes><evidence></evidence><activities></activities></node></nodes>
4
+ <issues><issue><id>2</id><author>admin@securityroots.com</author><text><![CDATA[#[Title]#
5
+ Test Issue
6
+
7
+ #[Description]#
8
+ !/pro/projects/222/nodes/12345/attachments/hello.jpg!
9
+
10
+ ]]></text><activities></activities><comments></comments></issue></issues>
11
+ </dradis-template>
@@ -48,4 +48,29 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
48
48
  expect(importer.import(file: file_path)).to be false
49
49
  end
50
50
  end
51
+
52
+ context 'uploading a template with attachment but missing node' do
53
+ let(:file_path) do
54
+ File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'missing_node.xml')
55
+ end
56
+
57
+ it 'does not modify the attachment' do
58
+ logger = double('logger')
59
+ allow(logger).to receive_messages(debug: nil, error: nil, fatal: nil, info: nil)
60
+ expect(logger).to receive(:error).once
61
+
62
+ importer = importer_class::Importer.new(
63
+ default_user_id: user.id,
64
+ logger: logger,
65
+ plugin: importer_class,
66
+ project_id: project.id
67
+ )
68
+
69
+ importer.import(file: file_path)
70
+
71
+ expect(project.issues.first.text).to include(
72
+ "!/pro/projects/222/nodes/12345/attachments/hello.jpg!"
73
+ )
74
+ end
75
+ end
51
76
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-projects
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.2.1
4
+ version: 4.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-12-22 00:00:00.000000000 Z
11
+ date: 2022-02-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -135,6 +135,7 @@ files:
135
135
  - lib/tasks/thorfile.rb
136
136
  - spec/fixtures/files/attachments_url.xml
137
137
  - spec/fixtures/files/malformed_ids.xml
138
+ - spec/fixtures/files/missing_node.xml
138
139
  - spec/fixtures/files/with_comments.xml
139
140
  - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
140
141
  - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
@@ -158,13 +159,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
158
159
  - !ruby/object:Gem::Version
159
160
  version: '0'
160
161
  requirements: []
161
- rubygems_version: 3.2.28
162
+ rubygems_version: 3.1.4
162
163
  signing_key:
163
164
  specification_version: 4
164
165
  summary: Project export/upload for the Dradis Framework.
165
166
  test_files:
166
167
  - spec/fixtures/files/attachments_url.xml
167
168
  - spec/fixtures/files/malformed_ids.xml
169
+ - spec/fixtures/files/missing_node.xml
168
170
  - spec/fixtures/files/with_comments.xml
169
171
  - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
170
172
  - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb