Commit e74cd689 authored by Piotr Gawron's avatar Piotr Gawron
Browse files

Merge branch 'devel_11.0.x'

parents 7bd30279 2d738b4b
......@@ -3,6 +3,22 @@ minerva (12.0.0) stable; urgency=medium
-- Piotr Gawron <piotr.gawron@uni.lu> Thu, 14 Dec 2017 16:00:00 +0200
minerva (11.0.8) stable; urgency=medium
* Bug fix: XSS vulnerability
* Bug fix: "java.lang.IllegalStateException: getWriter()" exceptions
in logs
* Bug fix: crash for uploading and caching chemical data
* Bug fix: disappearing tiles in submodels
* Bug fix: max number of results is properly taken from configuration
* Bug fix: overlay cannot be hidden before process of fetching data
during opening is finished
* Bug fix: redirection to login page when session expired and access to
export page is requested
* Bug fix: sometimes overlays couldn't be hidden in submaps
* Bug fix: comments on submaps are visualized properly
-- Piotr Gawron <piotr.gawron@uni.lu> Mon, 05 Feb 2018 18:00:00 +0200
minerva (11.0.7) stable; urgency=medium
* Bug fix: redirection added when anonymous tries to access secured map
* Bug fix: loading time of custom overlays is reduced
......
......@@ -291,13 +291,17 @@ public class Chemical implements Serializable, TargettingStructure {
}
@Override
public Collection<MiriamData> getSources() {
List<MiriamData> sources = new ArrayList<>();
sources.add(getCasID());
sources.add(getChemicalId());
return sources;
}
@Override
public Collection<MiriamData> getSources() {
List<MiriamData> sources = new ArrayList<>();
if (getCasID() != null) {
sources.add(getCasID());
}
if (getChemicalId() != null) {
sources.add(getChemicalId());
}
return sources;
}
@Override
public Collection<Target> getTargets() {
......
......@@ -49,6 +49,7 @@
"pileup": "^0.6.8",
"request": "^2.82.0",
"spectrum-colorpicker": "^1.8.0",
"text-encoding": "^0.6.4"
"text-encoding": "^0.6.4",
"xss": "^0.3.7"
}
}
......@@ -12,6 +12,7 @@ var ConfigurationType = {
REQUEST_ACCOUNT_EMAIL: "REQUEST_ACCOUNT_EMAIL",
SIMPLE_COLOR_VAL: "SIMPLE_COLOR_VAL",
SEARCH_DISTANCE: "SEARCH_DISTANCE",
SEARCH_RESULT_NUMBER: "SEARCH_RESULT_NUMBER",
USER_MANUAL_FILE: "USER_MANUAL_FILE"
};
......
......@@ -1396,6 +1396,13 @@ ServerConnector.getElementsByQuery = function (params) {
return self.getProjectId(params.projectId).then(function (result) {
queryParams.projectId = result;
return self.getConfigurationParam(ConfigurationType.SEARCH_RESULT_NUMBER);
}).then(function (defaultCount) {
if (params.count !== undefined) {
filterParams.count = params.count;
} else {
filterParams.count = defaultCount;
}
return self.sendGetRequest(self.getSearchUrl(queryParams, filterParams));
}).then(function (content) {
var array = JSON.parse(content);
......
......@@ -161,11 +161,17 @@ OverlayPanel.prototype.createOverlayRow = function (overlay, checked) {
checkbox.type = "checkbox";
checkbox.checked = checked;
checkbox.onclick = function () {
if (this.checked) {
return self.getMap().openDataOverlay(overlay.getId()).then(null, GuiConnector.alert);
var thisCheckbox = this;
var toggleOverlayPromise;
if (thisCheckbox.checked) {
toggleOverlayPromise = self.getMap().openDataOverlay(overlay.getId());
} else {
return self.getMap().removeSelectedLayout(overlay.getId()).then(null, GuiConnector.alert);
toggleOverlayPromise = self.getMap().removeSelectedLayout(overlay.getId());
}
$(thisCheckbox).prop("disabled", true);
return toggleOverlayPromise.then(null, GuiConnector.alert).finally(function () {
$(thisCheckbox).prop("disabled", false);
});
};
viewTd.appendChild(checkbox);
} else {
......
......@@ -151,6 +151,12 @@ ProjectInfoPanel.prototype._createInfoPanelGui = function () {
type: "a",
href: ServerConnector.getServerBaseUrl() + "/export.xhtml?id=" + projectId,
content: '<i class="fa fa-mail-forward">&nbsp;EXPORT',
onclick: function () {
//TODO session expired hack (it should be done on the export.xhtml web page)
if (ServerConnector.getSessionData().getToken() === undefined) {
exportButton.href = ServerConnector.getServerBaseUrl() + "login.xhtml?from=" + encodeURI(exportButton.href);
}
}
});
liElement = Functions.createElement({
type: "li",
......
This diff is collapsed.
......@@ -61,27 +61,26 @@ Submap.prototype.open = function (htmlTag) {
mapDiv.style.height = "100%";
contentDiv.appendChild(mapDiv);
$(self.htmlTag).dialog({
title: self.getModel().getName(),
width: Math.floor(window.innerWidth * 2 / 3),
height: Math.floor(window.innerHeight * 2 / 3),
position: {
my: "center",
at: "center",
of: $(self.getTopMap().getElement()),
},
});
$(self.htmlTag).dialog({
title : self.getModel().getName(),
width : Math.floor(window.innerWidth * 2 / 3),
height : Math.floor(window.innerHeight * 2 / 3),
position : {
my : "center",
at : "center",
of : $(self.getTopMap().getElement()),
},
resize: function() {
google.maps.event.trigger(self.getGoogleMap(), 'resize');
}
});
$(self.htmlTag).dialog("open");
self.setGoogleMap(new google.maps.Map(mapDiv, mapOptions));
self._createMapChangedCallbacks();
$(self.htmlTag).bind("resize", function () {
google.maps.event.trigger(self.getGoogleMap(), 'resize');
});
google.maps.event.trigger(self.getGoogleMap(), 'resize');
google.maps.event.trigger(self.getGoogleMap(), 'resize');
if (self.isCustomTouchInterface()) {
self._touchInterface = new TouchMap(self);
......
......@@ -253,11 +253,12 @@ AbstractDbOverlay.prototype.getColor = function (colorId) {
};
AbstractDbOverlay.prototype.getIcon = function (colorId, id) {
var suffix = "_" + id;
if (id >= 100) {
id = 1;
suffix = "";
}
var color = this.getColor(colorId);
return "marker/" + this._iconType + "/" + this._iconType + "_" + color + "_" + id + ".png";
return "marker/" + this._iconType + "/" + this._iconType + "_" + color + suffix + ".png";
};
AbstractDbOverlay.prototype.splitQuery = function (query, useFullName) {
......
"use strict";
var Promise = require("bluebird");
var xss = require("xss");
var logger = require('../../logger');
var Functions = require('../../Functions');
......@@ -262,7 +263,8 @@ AbstractInfoWindow.prototype._createCommentInfoDiv = function (overlay, data) {
result.appendChild(commentId);
result.appendChild(document.createElement("br"));
var commentContent = document.createElement("div");
commentContent.innerHTML = comment.getContent();
commentContent.innerHTML = xss(comment.getContent());
result.appendChild(commentContent);
}
} else {
......
......@@ -153,36 +153,65 @@ describe('AliasInfoWindow', function () {
});
});
it("createCommentOverlayInfoDiv", function () {
var map = helper.createCustomMap();
describe("createOverlayInfoDiv", function () {
it("for comment", function () {
var map = helper.createCustomMap();
var oc = helper.createCommentDbOverlay(map);
var oc = helper.createCommentDbOverlay(map);
var alias = helper.createAlias();
alias.setId(3001);
alias.setIsComplete(true);
alias.setModelId(map.getId());
map.getModel().addAlias(alias);
var alias = helper.createAlias();
alias.setId(3001);
alias.setIsComplete(true);
alias.setModelId(map.getId());
map.getModel().addAlias(alias);
var aliasWindow = new AliasInfoWindow({
alias: alias,
map: map
});
var aliasWindow = new AliasInfoWindow({
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var comment = helper.createComment(alias);
comment.setContent("test comment Content");
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var comment = helper.createComment(alias);
comment.setContent("test comment Content");
data[0] = comment;
data['__FULL__'] = null;
data[0] = comment;
data['__FULL__'] = null;
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
});
assert.ok(functions.isDomElement(overlayDiv));
assert.ok(overlayDiv.innerHTML.indexOf(comment.getContent()) >= 0);
assert.ok(overlayDiv.innerHTML.indexOf(comment.getId()) >= 0);
});
it("xss", function () {
var map = helper.createCustomMap();
var oc = helper.createCommentDbOverlay(map);
var alias = helper.createAlias(map);
alias.setId(3001);
alias.setIsComplete(true);
var aliasWindow = new AliasInfoWindow({
alias: alias,
map: map
});
return oc.getDetailDataByIdentifiedElement(new IdentifiedElement(alias), true).then(function (data) {
var comment = helper.createComment(alias);
// noinspection HtmlUnknownTarget
comment.setContent("<img id=\"xss-id\" src=\"invalid/path\" onerror='alert(\"XSS test\")' />");
data[0] = comment;
data['__FULL__'] = null;
var overlayDiv = aliasWindow.createOverlayInfoDiv(oc, data);
assert.ok(overlayDiv.innerHTML.indexOf("alert") === -1);
});
});
});
it("createGeneticsDiv", function () {
......
-- empty file to force directory to be commited to git repo
......@@ -25,6 +25,8 @@ import lcsb.mapviewer.persist.dao.map.ReactionDao;
import lcsb.mapviewer.persist.dao.map.species.ElementDao;
import lcsb.mapviewer.services.SecurityException;
import lcsb.mapviewer.services.interfaces.ICommentService;
import lcsb.mapviewer.services.interfaces.IModelService;
import lcsb.mapviewer.services.interfaces.IUserService;
import lcsb.mapviewer.services.overlay.IconManager;
import lcsb.mapviewer.services.search.data.ElementIdentifier.ElementIdentifierType;
import lcsb.mapviewer.services.view.AuthenticationToken;
......
......@@ -73,13 +73,11 @@ public class UserController extends BaseController {
cookie.setMaxAge(expiryTime);
cookie.setPath(cookiePath);
response.addCookie(cookie);
response.getWriter().write("{\"info\":\"Login successful. TOKEN returned as a cookie\"}");
response.getWriter().flush();
response.getWriter().close();
return result;
}
}
response.addCookie(cookie);
result.put("info", "Login successful. TOKEN returned as a cookie");
return result;
}
}
@RequestMapping(value = "/users/{login:.+}", method = { RequestMethod.GET }, produces = {
MediaType.APPLICATION_JSON_VALUE })
......@@ -132,12 +130,12 @@ public class UserController extends BaseController {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
logger.debug("LOGOUT");
logger.debug(auth);
if (auth != null){
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
//our session manager logout
userService.logout(token);
Map<String, String> result = new HashMap<>();
result.put("status", "OK");
......@@ -150,12 +148,10 @@ public class UserController extends BaseController {
cookie.setMaxAge(0);
cookie.setPath(cookiePath);
response.addCookie(cookie);
response.getWriter().write("{\"status\":\"OK\"}");
response.getWriter().flush();
response.getWriter().close();
return result;
}
response.addCookie(cookie);
result.put("status", "OK");
return result;
}
@RequestMapping(value = "/users/{login:.+}", method = { RequestMethod.PATCH }, produces = { MediaType.APPLICATION_JSON_VALUE })
public Map<String, Object> updateUser(//
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment