Merge branch 'devel_11.0.x'

CHANGELOG

@@ -3,6 +3,22 @@ minerva (12.0.0) stable; urgency=medium
 
  -- Piotr Gawron <piotr.gawron@uni.lu>  Thu, 14 Dec 2017 16:00:00 +0200
 
+minerva (11.0.8) stable; urgency=medium
+  * Bug fix: XSS vulnerability
+  * Bug fix: "java.lang.IllegalStateException: getWriter()" exceptions
+    in logs
+  * Bug fix: crash for uploading and caching chemical data
+  * Bug fix: disappearing tiles in submodels
+  * Bug fix: max number of results is properly taken from configuration
+  * Bug fix: overlay cannot be hidden before process of fetching data
+    during opening is finished
+  * Bug fix: redirection to login page when session expired and access to
+    export page is requested
+  * Bug fix: sometimes overlays couldn't be hidden in submaps
+  * Bug fix: comments on submaps are visualized properly
+
+ -- Piotr Gawron <piotr.gawron@uni.lu>  Mon, 05 Feb 2018 18:00:00 +0200
+
 minerva (11.0.7) stable; urgency=medium
   * Bug fix: redirection added when anonymous tries to access secured map
   * Bug fix: loading time of custom overlays is reduced

annotation/src/main/java/lcsb/mapviewer/annotation/data/Chemical.java

@@ -291,13 +291,17 @@ public class Chemical implements Serializable, TargettingStructure {
 
 	}
 
-	@Override
-	public Collection<MiriamData> getSources() {
-		List<MiriamData> sources = new ArrayList<>();
-		sources.add(getCasID());
-		sources.add(getChemicalId());
-		return sources;
-	}
+  @Override
+  public Collection<MiriamData> getSources() {
+    List<MiriamData> sources = new ArrayList<>();
+    if (getCasID() != null) {
+      sources.add(getCasID());
+    }
+    if (getChemicalId() != null) {
+      sources.add(getChemicalId());
+    }
+    return sources;
+  }
 
 	@Override
 	public Collection<Target> getTargets() {

frontend-js/package.json

@@ -49,6 +49,7 @@
     "pileup": "^0.6.8",
     "request": "^2.82.0",
     "spectrum-colorpicker": "^1.8.0",
-    "text-encoding": "^0.6.4"
+    "text-encoding": "^0.6.4",
+    "xss": "^0.3.7"
   }
 }

frontend-js/src/main/js/ConfigurationType.js

@@ -12,6 +12,7 @@ var ConfigurationType = {
   REQUEST_ACCOUNT_EMAIL: "REQUEST_ACCOUNT_EMAIL",
   SIMPLE_COLOR_VAL: "SIMPLE_COLOR_VAL",
   SEARCH_DISTANCE: "SEARCH_DISTANCE",
+  SEARCH_RESULT_NUMBER: "SEARCH_RESULT_NUMBER",
   USER_MANUAL_FILE: "USER_MANUAL_FILE"
 };
 

frontend-js/src/main/js/ServerConnector.js

@@ -1396,6 +1396,13 @@ ServerConnector.getElementsByQuery = function (params) {
 
   return self.getProjectId(params.projectId).then(function (result) {
     queryParams.projectId = result;
+    return self.getConfigurationParam(ConfigurationType.SEARCH_RESULT_NUMBER);
+  }).then(function (defaultCount) {
+    if (params.count !== undefined) {
+      filterParams.count = params.count;
+    } else {
+      filterParams.count = defaultCount;
+    }
     return self.sendGetRequest(self.getSearchUrl(queryParams, filterParams));
   }).then(function (content) {
     var array = JSON.parse(content);

frontend-js/src/main/js/gui/leftPanel/OverlayPanel.js

@@ -161,11 +161,17 @@ OverlayPanel.prototype.createOverlayRow = function (overlay, checked) {
     checkbox.type = "checkbox";
     checkbox.checked = checked;
     checkbox.onclick = function () {
-      if (this.checked) {
-        return self.getMap().openDataOverlay(overlay.getId()).then(null, GuiConnector.alert);
+      var thisCheckbox = this;
+      var toggleOverlayPromise;
+      if (thisCheckbox.checked) {
+        toggleOverlayPromise = self.getMap().openDataOverlay(overlay.getId());
       } else {
-        return self.getMap().removeSelectedLayout(overlay.getId()).then(null, GuiConnector.alert);
+        toggleOverlayPromise = self.getMap().removeSelectedLayout(overlay.getId());
       }
+      $(thisCheckbox).prop("disabled", true);
+      return toggleOverlayPromise.then(null, GuiConnector.alert).finally(function () {
+        $(thisCheckbox).prop("disabled", false);
+      });
     };
     viewTd.appendChild(checkbox);
   } else {

frontend-js/src/main/js/gui/leftPanel/ProjectInfoPanel.js

@@ -151,6 +151,12 @@ ProjectInfoPanel.prototype._createInfoPanelGui = function () {
     type: "a",
     href: ServerConnector.getServerBaseUrl() + "/export.xhtml?id=" + projectId,
     content: '<i class="fa fa-mail-forward">&nbsp;EXPORT',
+    onclick: function () {
+      //TODO session expired hack (it should be done on the export.xhtml web page)
+      if (ServerConnector.getSessionData().getToken() === undefined) {
+        exportButton.href = ServerConnector.getServerBaseUrl() + "login.xhtml?from=" + encodeURI(exportButton.href);
+      }
+    }
   });
   liElement = Functions.createElement({
     type: "li",

frontend-js/src/main/js/map/Submap.js

@@ -61,27 +61,26 @@ Submap.prototype.open = function (htmlTag) {
         mapDiv.style.height = "100%";
         contentDiv.appendChild(mapDiv);
 
-        $(self.htmlTag).dialog({
-            title: self.getModel().getName(),
-            width: Math.floor(window.innerWidth * 2 / 3),
-            height: Math.floor(window.innerHeight * 2 / 3),
-            position: {
-                my: "center",
-                at: "center",
-                of: $(self.getTopMap().getElement()),
-            },
-        });
+    $(self.htmlTag).dialog({
+      title : self.getModel().getName(),
+      width : Math.floor(window.innerWidth * 2 / 3),
+      height : Math.floor(window.innerHeight * 2 / 3),
+      position : {
+        my : "center",
+        at : "center",
+        of : $(self.getTopMap().getElement()),
+      },
+      resize: function() {
+        google.maps.event.trigger(self.getGoogleMap(), 'resize');
+      }
+    });
 
         $(self.htmlTag).dialog("open");
 
         self.setGoogleMap(new google.maps.Map(mapDiv, mapOptions));
         self._createMapChangedCallbacks();
 
-        $(self.htmlTag).bind("resize", function () {
-            google.maps.event.trigger(self.getGoogleMap(), 'resize');
-        });
-
-        google.maps.event.trigger(self.getGoogleMap(), 'resize');
+    google.maps.event.trigger(self.getGoogleMap(), 'resize');
 
         if (self.isCustomTouchInterface()) {
             self._touchInterface = new TouchMap(self);

frontend-js/src/main/js/map/overlay/AbstractDbOverlay.js

@@ -253,11 +253,12 @@ AbstractDbOverlay.prototype.getColor = function (colorId) {
 };
 
 AbstractDbOverlay.prototype.getIcon = function (colorId, id) {
+  var suffix = "_" + id;
   if (id >= 100) {
-    id = 1;
+    suffix = "";
   }
   var color = this.getColor(colorId);
-  return "marker/" + this._iconType + "/" + this._iconType + "_" + color + "_" + id + ".png";
+  return "marker/" + this._iconType + "/" + this._iconType + "_" + color + suffix + ".png";
 };
 
 AbstractDbOverlay.prototype.splitQuery = function (query, useFullName) {

frontend-js/src/main/js/map/window/AbstractInfoWindow.js

 "use strict";
 
 var Promise = require("bluebird");
+var xss = require("xss");
 
 var logger = require('../../logger');
 var Functions = require('../../Functions');
@@ -262,7 +263,8 @@ AbstractInfoWindow.prototype._createCommentInfoDiv = function (overlay, data) {
         result.appendChild(commentId);
         result.appendChild(document.createElement("br"));
         var commentContent = document.createElement("div");
-        commentContent.innerHTML = comment.getContent();
+        commentContent.innerHTML = xss(comment.getContent());
+
         result.appendChild(commentContent);
       }
     } else {

frontend-js/src/test/js/map/window/AliasInfoWindow-test.js

@@ -153,36 +153,65 @@ describe('AliasInfoWindow', function () {
     });
   });
 
-  it("createCommentOverlayInfoDiv", function () {
-    var map = helper.createCustomMap();
+  describe("createOverlayInfoDiv", function () {
+    it("for comment", function () {
+      var map = helper.createCustomMap();
 
-    var oc = helper.createCommentDbOverlay(map);
+      var oc = helper.createCommentDbOverlay(map);
 
-    var alias = helper.createAlias();
-    alias.setId(3001);
-    alias.setIsComplete(true);
-    alias.setModelId(map.getId());
-    map.getModel().addAlias(alias);
+      var alias = helper.createAlias();
+      alias.setId(3001);
+      alias.setIsComplete(true);
+      alias.setModelId(map.getId());
+      map.getModel().addAlias(alias);
 
-    var aliasWindow = new AliasInfoWindow({
-      alias: alias,
-      map: map
-    });
+      var aliasWindow = new AliasInfoWindow({
+        alias: alias,
+        map: map
+      });
 
-    return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
-      var comment = helper.createComment(alias);
-      comment.setContent("test comment Content");
+      return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
+        var comment = helper.createComment(alias);
+        comment.setContent("test comment Content");
 
-      data[0] = comment;
-      data['__FULL__'] = null;
+        data[0] = comment;
+        data['__FULL__'] = null;
 
-      var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
+        var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
+
+        assert.ok(functions.isDomElement(overlayDiv));
+        assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
+        assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
+      });
 
-      assert.ok(functions.isDomElement(overlayDiv));
-      assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
-      assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
     });
+    it("xss", function () {
+      var map = helper.createCustomMap();
+
+      var oc = helper.createCommentDbOverlay(map);
+
+      var alias = helper.createAlias(map);
+      alias.setId(3001);
+      alias.setIsComplete(true);
+
+      var aliasWindow = new AliasInfoWindow({
+        alias: alias,
+        map: map
+      });
+
+      return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
+        var comment = helper.createComment(alias);
+        // noinspection HtmlUnknownTarget
+        comment.setContent("<img id=\"xss-id\" src=\"invalid/path\" onerror='alert(\"XSS test\")' />");
 
+        data[0] = comment;
+        data['__FULL__'] = null;
+
+        var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
+        assert.ok(overlayDiv.innerHTML.indexOf("alert") === -1);
+      });
+
+    });
   });
 
   it("createGeneticsDiv", function () {

persist/src/db/11.0.8/fix_db_20180118.sql

+-- empty file to force directory to be commited to git repo

rest-api/src/main/java/lcsb/mapviewer/api/projects/comments/CommentRestImpl.java

@@ -25,6 +25,8 @@ import lcsb.mapviewer.persist.dao.map.ReactionDao;
 import lcsb.mapviewer.persist.dao.map.species.ElementDao;
 import lcsb.mapviewer.services.SecurityException;
 import lcsb.mapviewer.services.interfaces.ICommentService;
+import lcsb.mapviewer.services.interfaces.IModelService;
+import lcsb.mapviewer.services.interfaces.IUserService;
 import lcsb.mapviewer.services.overlay.IconManager;
 import lcsb.mapviewer.services.search.data.ElementIdentifier.ElementIdentifierType;
 import lcsb.mapviewer.services.view.AuthenticationToken;

rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java

@@ -73,13 +73,11 @@ public class UserController extends BaseController {
       cookie.setMaxAge(expiryTime);
       cookie.setPath(cookiePath);
 
-      response.addCookie(cookie);
-      response.getWriter().write("{\"info\":\"Login successful. TOKEN returned as a cookie\"}");
-      response.getWriter().flush();
-      response.getWriter().close();
-      return result;
-    }
-  }
+			response.addCookie(cookie);
+			result.put("info", "Login successful. TOKEN returned as a cookie");
+			return result;
+		}
+	}
 
   @RequestMapping(value = "/users/{login:.+}", method = { RequestMethod.GET }, produces = {
       MediaType.APPLICATION_JSON_VALUE })
@@ -132,12 +130,12 @@ public class UserController extends BaseController {
     Authentication auth = SecurityContextHolder.getContext().getAuthentication();
     logger.debug("LOGOUT");
     logger.debug(auth);
-    if (auth != null){    
+    if (auth != null){
         new SecurityContextLogoutHandler().logout(request, response, auth);
     }
     //our session manager logout
     userService.logout(token);
-    
+
     Map<String, String> result = new HashMap<>();
     result.put("status", "OK");
 
@@ -150,12 +148,10 @@ public class UserController extends BaseController {
     cookie.setMaxAge(0);
     cookie.setPath(cookiePath);
 
-    response.addCookie(cookie);
-    response.getWriter().write("{\"status\":\"OK\"}");
-    response.getWriter().flush();
-    response.getWriter().close();
-    return result;
-  }
+		response.addCookie(cookie);
+        result.put("status", "OK");
+		return result;
+	}
 
   @RequestMapping(value = "/users/{login:.+}", method = { RequestMethod.PATCH }, produces = { MediaType.APPLICATION_JSON_VALUE })
   public Map<String, Object> updateUser(//