solidus_backend 1.2.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: efdeca518bb3d26ba1e31ff07f84ca9d4ede7a2e
-  data.tar.gz: 0d269d24b4a5c39ac7f1c432a4e2175f20f6ac71
+  metadata.gz: 87c62b3326ebc0d631669e3dc6d60879fe2a11b3
+  data.tar.gz: 246d61ab89e432641d5616cfe179f2eddc866707
 SHA512:
-  metadata.gz: 6e90d731e9767b81704f964c19e544a88adb6267a9ad40d1e53808b3b99d7448768bfb64312d533eef18edc6b98e3713f4f144089d95839937fd537ac9b6cf54
-  data.tar.gz: 4b24fe70e865c1abd391834370c01241f4e1f79cecef31b5d5b9db6ed93c77debe2253e4432410b58088d9e3827f18ea00362587424a32c40023b8adc22b899a
+  metadata.gz: 11ab1253fe0a288fe11bd7f308e209fb303496e005b49d60427e07e78ed8eca9d974a60a2c7294504d7f6ef254a583fbe2319daaaffcd3284b8d5dde844371be
+  data.tar.gz: 4af71715d6cea8635f07f798c005fce1fffa8d296742567cf48665423271c70147d312a1d81a490f41384e78bbac49d98d66b3e60ffa36abb87e3e98ad88636f

data/app/assets/javascripts/spree/backend/checkouts/edit.js

@@ -24,7 +24,7 @@ $(document).ready(function() {
           }
         },
         results: function(data, page) {
-          return { results: data }
+          return { results: data.users }
         }
       },
       dropdownCssClass: 'customer_search',
@@ -52,7 +52,7 @@ $(document).ready(function() {
             });
           });
         }
-        return customer.email;
+        return Select2.util.escapeMarkup(customer.email);
       }
     })
   }

data/app/assets/javascripts/spree/backend/option_type_autocomplete.js.erb

@@ -1,6 +1,10 @@
 $(document).ready(function () {
   'use strict';
 
+  function formatOptionType(option_type) {
+    return Select2.util.escapeMarkup(option_type.presentation + ' (' + option_type.name + ')');
+  }
+
   if ($('#product_option_type_ids').length > 0) {
     $('#product_option_type_ids').select2({
       placeholder: Spree.translations.option_type_placeholder,
@@ -31,12 +35,8 @@ $(document).ready(function () {
           };
         }
       },
-      formatResult: function (option_type) {
-        return option_type.presentation + ' (' + option_type.name + ')';
-      },
-      formatSelection: function (option_type) {
-        return option_type.presentation + ' (' + option_type.name + ')';
-      }
+      formatResult: formatOptionType,
+      formatSelection: formatOptionType
     });
   }
 });

data/app/assets/javascripts/spree/backend/option_value_picker.js

@@ -6,6 +6,10 @@ $.fn.optionValueAutocomplete = function (options) {
   var multiple = typeof(options['multiple']) !== 'undefined' ? options['multiple'] : true;
   var productSelect = options['productSelect'];
 
+  function formatOptionValue(option_value) {
+    return Select2.util.escapeMarkup(option_value.name);
+  }
+
   this.select2({
     minimumInputLength: 3,
     multiple: multiple,
@@ -33,11 +37,7 @@ $.fn.optionValueAutocomplete = function (options) {
         return { results: data };
       }
     },
-    formatResult: function (option_value) {
-      return option_value.name;
-    },
-    formatSelection: function (option_value) {
-      return option_value.name;
-    }
+    formatResult: formatOptionValue,
+    formatSelection: formatOptionValue
   });
 };

data/app/assets/javascripts/spree/backend/product_picker.js

@@ -5,6 +5,10 @@ $.fn.productAutocomplete = function (options) {
   options = options || {}
   var multiple = typeof(options['multiple']) !== 'undefined' ? options['multiple'] : true
 
+  function formatProduct(product) {
+    return Select2.util.escapeMarkup(product.name);
+  }
+
   this.select2({
     minimumInputLength: 3,
     multiple: multiple,
@@ -39,12 +43,8 @@ $.fn.productAutocomplete = function (options) {
         };
       }
     },
-    formatResult: function (product) {
-      return product.name;
-    },
-    formatSelection: function (product) {
-      return product.name;
-    }
+    formatResult: formatProduct,
+    formatSelection: formatProduct
   });
 };
 

data/app/assets/javascripts/spree/backend/stock_movement.js.coffee

@@ -17,5 +17,5 @@ jQuery ->
           return { results: data.stock_items, more: more }
       formatResult: (stock_item) ->
         variantTemplate({ variant: stock_item.variant })
-      formatSelection: (stock_item) ->
-        "#{stock_item.variant.name} (#{stock_item.variant.options_text})"
+      formatSelection: (stock_item, container, excapeMarkup) ->
+        Select2.util.escapeMarkup("#{stock_item.variant.name} (#{stock_item.variant.options_text})")

data/app/assets/javascripts/spree/backend/taxon_autocomplete.js.erb

@@ -1,6 +1,10 @@
 'use strict';
 
 var set_taxon_select = function(){
+  function formatTaxon(taxon) {
+    return Select2.util.escapeMarkup(taxon.pretty_name);
+  }
+
   if ($('#product_taxon_ids').length > 0) {
     $('#product_taxon_ids').select2({
       placeholder: Spree.translations.taxon_placeholder,
@@ -37,12 +41,8 @@ var set_taxon_select = function(){
           };
         }
       },
-      formatResult: function (taxon) {
-        return taxon.pretty_name;
-      },
-      formatSelection: function (taxon) {
-        return taxon.pretty_name;
-      }
+      formatResult: formatTaxon,
+      formatSelection: formatTaxon
     });
   }
 }

data/app/assets/javascripts/spree/backend/taxons.js.coffee

@@ -45,6 +45,9 @@ $ ->
     sortable.trigger('sortupdate', item: draggable)
   , 250
 
+  formatTaxon = (taxon) ->
+    Select2.util.escapeMarkup(taxon.pretty_name)
+
   $('#taxon_id').select2
     dropdownCssClass: "taxon_select_box",
     placeholder: Spree.translations.find_a_taxon,
@@ -59,10 +62,8 @@ $ ->
       results: (data) ->
         results: data['taxons'],
         more: data.current_page < data.pages
-    formatResult: (taxon) ->
-      taxon.pretty_name
-    formatSelection: (taxon) ->
-      taxon.pretty_name
+    formatResult: formatTaxon,
+    formatSelection: formatTaxon
 
   $('#taxon_id').on "change", (e) ->
     Spree.ajax

data/app/assets/javascripts/spree/backend/user_picker.js

@@ -1,6 +1,10 @@
 $.fn.userAutocomplete = function () {
   'use strict';
 
+  function formatUser(user) {
+    return Select2.util.escapeMarkup(user.email);
+  }
+
   this.select2({
     minimumInputLength: 1,
     multiple: true,
@@ -8,7 +12,7 @@ $.fn.userAutocomplete = function () {
       $.get(Spree.routes.user_search, {
         ids: element.val()
       }, function (data) {
-        callback(data);
+        callback(data.users);
       });
     },
     ajax: {
@@ -23,16 +27,12 @@ $.fn.userAutocomplete = function () {
       },
       results: function (data) {
         return {
-          results: data
+          results: data.users
         };
       }
     },
-    formatResult: function (user) {
-      return user.email;
-    },
-    formatSelection: function (user) {
-      return user.email;
-    }
+    formatResult: formatUser,
+    formatSelection: formatUser
   });
 };
 

data/app/assets/javascripts/spree/backend/variant_autocomplete.js.coffee.erb

@@ -33,8 +33,8 @@ $.fn.variantAutocomplete = (searchOptions = {}) ->
         results: data["variants"]
 
     formatResult: formatVariantResult
-    formatSelection: (variant) ->
+    formatSelection: (variant, container, escapeMarkup) ->
       if !!variant.options_text
-        variant.name + " (#{variant.options_text})"
+        Select2.util.escapeMarkup("#{variant.name} (#{variant.options_text}")
       else
-        variant.name
+        Select2.util.escapeMarkup(variant.name)

data/app/helpers/spree/admin/adjustments_helper.rb

@@ -26,11 +26,15 @@ module Spree
         parts << variant.product.name
         parts << "(#{variant.options_text})" if variant.options_text.present?
         parts << line_item.display_total
-        parts.join("<br>").html_safe
+        safe_join(parts, "<br />".html_safe)
       end
 
       def display_shipment(shipment)
-        "#{Spree.t(:shipment)} ##{shipment.number}<br>#{shipment.display_cost}".html_safe
+        parts = [
+          "#{Spree.t(:shipment)} ##{shipment.number}",
+          shipment.display_cost
+        ]
+        safe_join(parts, "<br />".html_safe)
       end
 
       def display_order(order)

data/app/helpers/spree/admin/base_helper.rb

@@ -15,8 +15,8 @@ module Spree
         obj = object.respond_to?(:errors) ? object : instance_variable_get("@#{object}")
 
         if obj && obj.errors[method].present?
-          errors = obj.errors[method].map { |err| h(err) }.join('<br />').html_safe
-          content_tag(:span, errors, :class => 'formError')
+          errors = safe_join(obj.errors[method], "<br />".html_safe)
+          content_tag(:span, errors, class: 'formError')
         else
           ''
         end
@@ -132,12 +132,11 @@ module Spree
 
       def preference_fields(object, form)
         return unless object.respond_to?(:preferences)
-        object.preferences.keys.map{ |key|
-
+        fields = object.preferences.keys.map { |key|
           form.label("preferred_#{key}", Spree.t(key) + ": ") +
-            preference_field_for(form, "preferred_#{key}", :type => object.preference_type(key))
-
-        }.join("<br />").html_safe
+            preference_field_for(form, "preferred_#{key}", type: object.preference_type(key))
+        }
+        safe_join(fields, "<br />".html_safe)
       end
 
       def link_to_add_fields(name, target, options = {})

data/app/helpers/spree/admin/navigation_helper.rb

@@ -74,7 +74,7 @@ module Spree
         options[:class] = (options[:class].to_s + " fa fa-#{icon_name} icon_link with-tip").strip
         options[:class] += ' no-text' if options[:no_text]
         options[:title] = text if options[:no_text]
-        text = options[:no_text] ? '' : raw("<span class='text'>#{text}</span>")
+        text = options[:no_text] ? '' : content_tag(:span, text, class: 'text')
         options.delete(:no_text)
         link_to(text, url, options)
       end
@@ -108,16 +108,10 @@ module Spree
           if html_options[:icon]
             html_options[:class] += " fa fa-#{html_options[:icon]}"
           end
-          link_to(text_for_button_link(text, html_options), url, html_options)
+          link_to(text, url, html_options)
         end
       end
 
-      def text_for_button_link(text, html_options)
-        s = ''
-        s << text
-        raw(s)
-      end
-
       def configurations_menu_item(link_text, url, description = '')
         %(<tr>
           <td>#{link_to(link_text, url)}</td>

data/app/helpers/spree/admin/orders_helper.rb

@@ -12,7 +12,7 @@ module Spree
                                     :data => { :confirm => Spree.t(:order_sure_want_to, :event => Spree.t(event)) })
           end
         end
-        links.join(' ').html_safe
+        safe_join(links, ' '.html_safe)
       end
 
       def line_item_shipment_price(line_item, quantity)

data/app/helpers/spree/admin/products_helper.rb

@@ -9,7 +9,8 @@ module Spree
                       :selected => ('selected' if selected)) do
             (taxon.ancestors.pluck(:name) + [taxon.name]).join(" -> ")
           end
-        end.join("").html_safe
+        end
+        safe_join(options)
       end
 
       def option_types_options_for(product)
@@ -20,7 +21,8 @@ module Spree
                       :selected => ('selected' if selected)) do
             option_type.name
           end
-        end.join("").html_safe
+        end
+        safe_join(options)
       end
     end
   end

data/app/helpers/spree/admin/stock_movements_helper.rb

@@ -15,9 +15,9 @@ module Spree
 
       def display_variant(stock_movement)
         variant = stock_movement.stock_item.variant
-        output = variant.name
-        output += "<br>(#{variant.options_text})" unless variant.options_text.blank?
-        output.html_safe
+        output = [variant.name]
+        output << variant.options_text unless variant.options_text.blank?
+        safe_join(output, "<br />".html_safe)
       end
     end
   end

data/app/views/spree/admin/search/users.rabl

@@ -1,4 +1,4 @@
-collection(@users)
+collection(@users => :users)
 attributes :email, :id
 address_fields = [:firstname, :lastname,
                   :address1, :address2,

data/config/initializers/assets.rb

@@ -1 +1 @@
-Rails.application.config.assets.precompile += %w( jquery-ui/* )
+Rails.application.config.assets.precompile += %w( jquery-ui/* solidus-style-guide-logo.png )

data/spec/features/admin/orders/new_order_spec.rb

@@ -172,6 +172,18 @@ describe "New Order", :type => :feature do
     end
   end
 
+  context "customer with attempted XSS", js: true do
+    let(:xss_string) { %(<script>throw("XSS")</script>) }
+    before do
+      user.update!(email: xss_string)
+    end
+    it "displays the user's email escaped without executing" do
+      click_on "Customer Details"
+      targetted_select2_search user.email, from: "#s2id_customer_search"
+      expect(page).to have_field("Email", with: xss_string)
+    end
+  end
+
   def fill_in_address(kind = "bill")
     fill_in "First Name",                with: "John 99"
     fill_in "Last Name",                 with: "Doe"

data/spec/features/admin/products/edit/taxons_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe "Product Taxons", :type => :feature do
   stub_authorization!
 
-  context "managing taxons" do
+  context "managing taxons", js: true do
     def assert_selected_taxons(taxons)
       # Regression test for https://github.com/spree/spree/issues/2139
       taxons.each do |taxon|
@@ -14,10 +14,11 @@ describe "Product Taxons", :type => :feature do
       expect(page).to have_xpath("//*[@id = 'product_taxon_ids' and @value = '#{expected_value}']", visible: :all)
     end
 
-    it "should allow an admin to manage taxons", :js => true do
+    let(:product) { create(:product) }
+
+    it "should allow an admin to manage taxons" do
       taxon_1 = create(:taxon)
-      taxon_2 = create(:taxon, :name => 'Clothing')
-      product = create(:product)
+      taxon_2 = create(:taxon, name: 'Clothing')
       product.taxons << taxon_1
 
       visit spree.edit_admin_product_path(product)
@@ -28,5 +29,17 @@ describe "Product Taxons", :type => :feature do
       click_button "Update"
       assert_selected_taxons([taxon_1, taxon_2])
     end
+
+    context "with an XSS attempt" do
+      let(:taxon_name) { %(<script>throw("XSS")</script>) }
+      let!(:taxon) { create(:taxon, name: taxon_name) }
+      it "displays the escaped HTML without executing it" do
+        visit spree.edit_admin_product_path(product)
+
+        select2_search "<script>", from: "Taxons"
+
+        expect(page).to have_content(taxon_name)
+      end
+    end
   end
 end

data/spec/features/admin/promotions/option_value_rule_spec.rb

@@ -36,6 +36,26 @@ feature 'Promotion with option value rule' do
     expect(first_rule.preferred_eligible_values).to eq Hash[product.id => [option_value.id]]
   end
 
+  context "with an attempted XSS" do
+    let(:xss_string) { %(<script>throw("XSS")</script>) }
+    before do
+      option_value.update!(name: xss_string)
+    end
+    scenario "adding an option value rule", js: true do
+      select2 "Option Value(s)", from: "Add rule of type"
+      within("#rules_container") { click_button "Add" }
+
+      within("#rules_container .promotion-block") do
+        click_button "Add"
+      end
+
+      within('.promo-rule-option-value') do
+        targetted_select2_search product.name, from: '.js-promo-rule-option-value-product-select'
+        targetted_select2_search option_value.name, from: '.js-promo-rule-option-value-option-values-select'
+      end
+    end
+  end
+
   context "with an existing option value rule" do
     given(:variant1) { create :variant }
     given(:variant2) { create :variant }

data/spec/features/admin/promotions/user_rule_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+feature 'Promotion with user rule', js: true do
+  stub_authorization!
+
+  given(:promotion) { create :promotion }
+
+  background do
+    visit spree.edit_admin_promotion_path(promotion)
+  end
+
+  context "with an attempted XSS" do
+    let(:xss_string) { %(<script>throw("XSS")</script>) }
+    given!(:user) { create(:user, email: xss_string) }
+
+    scenario "adding an option value rule" do
+      select2 "User", from: "Add rule of type"
+      within("#rules_container") { click_button "Add" }
+
+      select2_search "<script>", from: "Choose users"
+
+      expect(page).to have_content(xss_string)
+    end
+  end
+end

data/spec/features/admin/style_guide_spec.rb

@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+describe "Style guide", type: :feature do
+  stub_authorization!
+
+  it "should render successfully" do
+    visit "/admin/style_guide"
+
+    # Somewhere in a style guide you'd expect to talk about colors
+    expect(page).to have_text "Colors"
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_backend
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.2.1
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-26 00:00:00.000000000 Z
+date: 2016-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_api
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
 - !ruby/object:Gem::Dependency
   name: solidus_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
 - !ruby/object:Gem::Dependency
   name: bourbon
   requirement: !ruby/object:Gem::Requirement
@@ -692,9 +692,11 @@ files:
 - spec/features/admin/promotion_adjustments_spec.rb
 - spec/features/admin/promotions/option_value_rule_spec.rb
 - spec/features/admin/promotions/tiered_calculator_spec.rb
+- spec/features/admin/promotions/user_rule_spec.rb
 - spec/features/admin/reports_spec.rb
 - spec/features/admin/stock_transfer_spec.rb
 - spec/features/admin/store_credits_spec.rb
+- spec/features/admin/style_guide_spec.rb
 - spec/features/admin/taxons_spec.rb
 - spec/features/admin/users_spec.rb
 - spec/helpers/admin/base_helper_spec.rb