hyrax 2.5.0 → 2.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 07d676d225e5f0e4dcf90474785b25b46ba44433088bd4f939b30ac893018907
-  data.tar.gz: '098e92006e2286deb06fe494b56a725051f25076906887842c922706a6502ea2'
+  metadata.gz: 52ca5db4f8ce55b87305b9bfbbbe4bfc7464958f5070e3cb4911f04feed87352
+  data.tar.gz: 4f9977600707f112927aed03cc8f985f7b125ca04d13344a3effb66350755ca2
 SHA512:
-  metadata.gz: 4f2d39f2437e74fa39d13c35e30a931822b61aca590a0fdabd4136df2b5af8ac1a4110398c33cb7f60b5a595dae4cabc55d002d64520625fab99ef2301485dfe
-  data.tar.gz: b2d0d871115bd3c2ba06265f59a47906511b69be05fba5152444bb0e01a9b07ed3df586e622bd91b176b9ee8b805e48a0107e394f178a93db4b69aa9ef7066be
+  metadata.gz: ea378dc6fb860157cf4330ed9d82d915123c89da7db61b44412fe44fc18da317806ad0716d08fec07d8b98cec963531607b828a6fab1a771a0576e2d8e649e52
+  data.tar.gz: 304be0cc47238943179bd32d1d843c7a7a7413c4daf4bcc58d9cdba5fcdb7a024e5cb4e7f55b4656872c4f352a36533b5f6d05b21cb6441ce1cdc084c9838d5c

data/README.md

@@ -1,7 +1,6 @@
 ![Logo](https://raw.githubusercontent.com/samvera/hyrax/gh-pages/assets/images/hyrax_logo_horizontal_white_background.png)
 
 Code: [![Version](https://badge.fury.io/rb/hyrax.png)](http://badge.fury.io/rb/hyrax)
-[![Build Status](https://travis-ci.org/samvera/hyrax.png?branch=master)](https://travis-ci.org/samvera/hyrax)
 [![CircleCI](https://circleci.com/gh/samvera/hyrax.svg?style=svg)](https://circleci.com/gh/samvera/hyrax)
 [![Coverage Status](https://coveralls.io/repos/github/samvera/hyrax/badge.svg?branch=master)](https://coveralls.io/github/samvera/hyrax?branch=master)
 [![Code Climate](https://codeclimate.com/github/samvera/hyrax/badges/gpa.svg)](https://codeclimate.com/github/samvera/hyrax)
@@ -163,7 +162,7 @@ NOTE: The steps need to be done in order to create a new Hyrax based app.
 Generate a new Rails application using the template.
 
 ```
-rails _5.1.6_ new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v2.5.0/template.rb
+rails _5.1.6_ new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v2.5.1/template.rb
 ```
 
 Generating a new Rails application using Hyrax's template above takes cares of a number of steps for you, including:
@@ -326,7 +325,7 @@ If you'd like to help the development effort and you're not sure where to get st
 
 # Development
 
-The [Hyrax Development Guide](https://github.com/samvera/hyrax/wiki/Hyrax-Development-Guide) is for people who want to modify Hyrax itself, not an application that uses Hyrax.
+The [Hyrax Development Guide](https://github.com/samvera/hyrax/wiki/Hyrax-Development-Guide) is for people who want to modify Hyrax itself, not an application that uses Hyrax. See especially the [Quick Start](https://github.com/samvera/hyrax/wiki/Hyrax-Development-Guide#quick-start-for-hyrax-development) guide and instructions for running the [Hyrax test suite](https://github.com/samvera/hyrax/wiki/Hyrax-Development-Guide#run-the-test-suite).
 
 ## Reporting Security Issues
 

data/app/controllers/hyrax/dashboard/collections_controller.rb

@@ -279,10 +279,10 @@ module Hyrax
           public_files = []
           uploaded_file_ids.each_with_index do |ufi, i|
             if ufi.include?('public')
-              update_logo_info(ufi, params["alttext"][i], params["linkurl"][i])
+              update_logo_info(ufi, params["alttext"][i], verify_linkurl(params["linkurl"][i]))
               public_files << ufi
             else # brand new one, insert in the database
-              logo_info = create_logo_info(ufi, params["alttext"][i], params["linkurl"][i])
+              logo_info = create_logo_info(ufi, params["alttext"][i], verify_linkurl(params["linkurl"][i]))
               public_files << logo_info.local_path
             end
           end
@@ -458,6 +458,17 @@ module Hyrax
         def params_for_query
           params.merge(q: params[:cq])
         end
+
+        # Only accept HTTP|HTTPS urls;
+        # @return <String> the url
+        def verify_linkurl(linkurl)
+          url = Loofah.scrub_fragment(linkurl, :prune).to_s
+          url if valid_url?(url)
+        end
+
+        def valid_url?(url)
+          (url =~ URI.regexp(['http', 'https']))
+        end
     end
   end
 end

data/lib/hyrax/version.rb

@@ -1,3 +1,3 @@
 module Hyrax
-  VERSION = '2.5.0'.freeze
+  VERSION = '2.5.1'.freeze
 end

data/spec/controllers/hyrax/dashboard/collections_controller_spec.rb

@@ -82,7 +82,7 @@ RSpec.describe Hyrax::Dashboard::CollectionsController, :clean_repo do
         }
 
         expect(assigns[:collection].member_objects).to eq [asset1]
-        asset_results = ActiveFedora::SolrService.instance.conn.get "select", params: { fq: ["id:\"#{asset1.id}\""], fl: ['id', Solrizer.solr_name(:collection)] }
+        asset_results = ActiveFedora::SolrService.instance.conn.get "select", params: { fq: ["id:\"#{asset1.id}\""], fl: ['id', ActiveFedora.index_field_mapper.solr_name(:collection)] }
         expect(asset_results["response"]["numFound"]).to eq 1
         doc = asset_results["response"]["docs"].first
         expect(doc["id"]).to eq asset1.id
@@ -294,6 +294,49 @@ RSpec.describe Hyrax::Dashboard::CollectionsController, :clean_repo do
 
         expect(CollectionBrandingInfo.where(collection_id: collection.id, role: "logo", alt_text: "Logo alt Text", target_url: "http://abc.com").where("local_path LIKE '%logo.gif'")).to exist
       end
+
+      context 'where the linkurl is not a valid http|http link' do
+        it "does not save linkurl containing html; target_url is empty" do
+          val = double(["/public/logo.gif"])
+          allow(val).to receive(:file_url).and_return("/public/logo.gif")
+          allow(Hyrax::UploadedFile).to receive(:find).with("1").and_return(val)
+
+          allow(File).to receive(:split).with(any_args).and_return(["logo.gif"])
+          allow(FileUtils).to receive(:cp).with(any_args).and_return(nil)
+
+          put :update, params: { id: collection, logo_files: [1], alttext: ["Logo alt Text"], linkurl: ["<script>remove_me</script>"], collection: { creator: ['Emily'] }, update_collection: true }
+          collection.reload
+
+          expect(
+            CollectionBrandingInfo.where(
+              collection_id: collection.id,
+              role: "logo",
+              alt_text: "Logo alt Text",
+              target_url: "<script>remove_me</script>"
+            ).where("target_url LIKE '%remove_me%)'")
+          ).not_to exist
+        end
+
+        it "does not save linkurl containing dodgy protocol; target_url is empty" do
+          val = double(["/public/logo.gif"])
+          allow(val).to receive(:file_url).and_return("/public/logo.gif")
+          allow(Hyrax::UploadedFile).to receive(:find).with("1").and_return(val)
+
+          allow(File).to receive(:split).with(any_args).and_return(["logo.gif"])
+          allow(FileUtils).to receive(:cp).with(any_args).and_return(nil)
+
+          put :update, params: { id: collection, logo_files: [1], alttext: ["Logo alt Text"], linkurl: ['javascript:alert("remove_me")'], collection: { creator: ['Emily'] }, update_collection: true }
+          collection.reload
+          expect(
+            CollectionBrandingInfo.where(
+              collection_id: collection.id,
+              role: "logo",
+              alt_text: "Logo alt Text",
+              target_url: 'javascript:alert("remove_me")'
+            ).where("target_url LIKE '%remove_me%)'")
+          ).not_to exist
+        end
+      end
     end
   end
 

data/template.rb

@@ -1,6 +1,6 @@
 # Hack for https://github.com/rails/rails/issues/35153
 gsub_file 'Gemfile', /^gem ["']sqlite3["']$/, 'gem "sqlite3", "~> 1.3.0"'
-gem 'hyrax', '2.5.0'
+gem 'hyrax', '2.5.1'
 run 'bundle install'
 generate 'hyrax:install', '-f'
 rails_command 'db:migrate'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hyrax
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.5.1
 platform: ruby
 authors:
 - Justin Coyne
@@ -14,7 +14,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-18 00:00:00.000000000 Z
+date: 2019-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -1100,7 +1100,6 @@ files:
 - ".rubocop.yml"
 - ".rubocop_fixme.yml"
 - ".scss-lint.yml"
-- ".travis.yml"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE
@@ -3079,8 +3078,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.9
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Hyrax is a front-end based on the robust Samvera framework, providing a user

data/.travis.yml

@@ -1,36 +0,0 @@
-language: ruby
-sudo: required
-dist: trusty
-
-addons:
-  apt:
-    packages:
-      - chromium-chromedriver
-cache:
-  bundler: true
-
-before_install:
-  - gem update --system
-  - gem install bundler
-  - google-chrome-stable --headless --disable-gpu --no-sandbox --remote-debugging-port=9222 http://localhost &
-
-rvm:
-  - 2.5.0
-
-env:
-  global:
-    - NOKOGIRI_USE_SYSTEM_LIBRARIES=true
-    - ENGINE_CART_RAILS_OPTIONS='--skip-git --skip-bundle --skip-listen --skip-spring --skip-yarn --skip-keeps --skip-action-cable --skip-coffee --skip-puma --skip-test'
-  # Travis should check every minor version in a range of supported versions, because
-  # rails does not follow sem-ver conventions, see http://guides.rubyonrails.org/maintenance_policy.html
-  # It should be sufficient to test only the latest of the patch versions for a minor version, they
-  # should be compatible across patch versions (only bug fixes are released in patch versions).
-  matrix:
-    - "RAILS_VERSION=5.1.4"
-    - "RAILS_VERSION=5.0.6"
-
-services:
-  - redis-server
-before_script:
-  - jdk_switcher use oraclejdk8
-  - ln -s /usr/lib/chromium-browser/chromedriver ~/bin/chromedriver