This is a partial roll-forward of c/106190.
It adds a dependency on the latest version of polymer-resin.
Later CLs will actually use this dependency.
Change-Id: I3cf5f9c823d74da58a8b1326153a672959fa3f13
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.mdhttps://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
Some plugins, most notably owners-plugin, depend on prolog:common rule.
Given that this rule transitively depends on gerrit-server:server rule,
and this rule depends on virtually whole gerrit build graph, the final
plugin artifact contains effectively the whole gerrit war file content.
To fix that we expose prolog:common in plugin API. Moreover, adjust
prolog_cafe_library to not transitively depend on prolog runtime
library. We can do it, because gerrit-server already depends on it, so
that it's included in gerrit war anyway.
This change allows the owners-plugin to de-duplicate its size from 45 MB
to 1.5 MB only.
Change-Id: I8d7198a911c2da444c1822509988eda7d369af77
genrule2 exposes root and temp directpries, but these are not used in
this rule, so that we can just use native genrule.
Change-Id: Id1e56ba47bf04a73559ff84a7c8f69745a6b3129
Utilize the Closure compiler in Bazel to transpile. As part of this, a
rather large file of 'externs' must be added in order to call external
code. This file is specific to Polymer and copied from the Closure
Github, and should be synced any time there are major changes to
Polymer.
Test Plan:
- run `bazel build polygerrit` and verify that whitespaces are removed
from resulting gr-app.js file
- run `bazel build Documentation:licenses.txt` and verify that the new
dependency is listed in resulting
bazel-genfiles/Documentation/licenses.txt
TODO in later changes:
- Get closure optimizations working
- Explore sourcemaps possibilities
- Maybe use closure linting?
Change-Id: Ic358743dda7286fea3ac1e95a7991a92c96d6341
(cherry picked from commit 1ea918bd367c091fb4128ab33d8ca7c61cfe770c)
FileInputStream and FileOutputStream rely on finalize() method to ensure
resources are closed. This implies they are added to the finalizer queue
which causes additional work for the JVM GC process.
This is an open bug on the OpenJDK [1] and the recommended workaround is
to use the Files.newInputStream and Files.newOutputStream static methods
instead.
[1] https://bugs.openjdk.java.net/browse/JDK-8080225
Change-Id: I3cef6fcf198dde2be7cd15bded8d2fa247177654
Utilize the Closure compiler in Bazel to transpile. As part of this, a
rather large file of 'externs' must be added in order to call external
code. This file is specific to Polymer and copied from the Closure
Github, and should be synced any time there are major changes to
Polymer.
Test Plan:
- run `bazel build polygerrit` and verify that whitespaces are removed
from resulting gr-app.js file
- run `bazel build Documentation:licenses.txt` and verify that the new
dependency is listed in resulting
bazel-genfiles/Documentation/licenses.txt
TODO in later changes:
- Get closure optimizations working
- Explore sourcemaps possibilities
- Maybe use closure linting?
Change-Id: Ic358743dda7286fea3ac1e95a7991a92c96d6341
VERSION variable is not used any more in the ElasticSearch dependency
file, therefore we can remove it.
Change-Id: I0e9ed69a69976606d5db5e832023e85b5a06f4f1
We cannot shade bouncycastle in the plugin API. Still we need it to be
included in the gerrit.war, licenses file and Eclipse classpath.
Expose bouncycastle libraries in PLUGIN_TEST_DEPS constant, so that
the plugins don't need to change anything in tree build mode.
gerrit_api() bazlet in bazlets repository is extended too, so that the
plugins don't need to change anything in standalone build mode.
One side effect of this change, is that bouncycastle libraries are
now listed with neverlink suffix, e.g.:
* bouncycastle:bcprov-neverlink
Bug: Issue 5826
Change-Id: Idb8051e16b14e20c8dd528783ab297ee25707bb3
This is a snapshot of the latest head of JGit's master branch.
Jetty was changed to version 9.3.17.v20170317. This version change
will be done for Gerrit in a follow-up commit.
Change-Id: I19ca866f90b16260f72fdd9cdc97683031b48488
This snapshot includes numerous changes since the previous one.
There is currently nothing that we specifically need in this snapshot,
but it brings us closer to what will be in the upcoming 4.7.0 release
and will allow us to potentially catch any issues before release.
Change-Id: I4c3642eab4c1f1128e2e19cf656dee13270662e2
Put all the logic in jgit.bzl, where a single edit suffices to get
the local flavor.
Given that all sha1 for jgit dependencies are in jgit.bzl, we can
remove the constants and use sha1 values directly.
Change-Id: Icabf651e02f226e5c025457d54588074a11ae283
Now that Bazel build for JGit is fully implemented, we can document
the process of routing the JGit dependency to the development tree
instead of consuming it from Central or ~/.m2 local repository:
1. Activate local jgit repository in WORKSPACE file:
local_repository(
name = "jgit",
path = "/home/<user>/projects/jgit",
)
2. Uncomment alias to jgit repository in lib/jgit/**/BUILD files.
It shouldn't be needed and is tracked under this issue upstream: [1]:
alias(
name = "jgit-alias",
actual = select({
"@//lib:jgit-dev": "@jgit//org.eclipse.jgit:jgit",
"//conditions:default": "@jgit_lib//jar",
}),
visibility = ["//visibility:public"],
)
Test plan:
Update local JGit tree, run tests and verify that local JGit tree
modifications are relfected in gerrit build:
$ bazel build --define jgit-dev=1 headless
To consume JGit from Central, do not pass jgit-dev=1:
$ bazel test ...
[1] https://github.com/bazelbuild/bazel/issues/2707
Change-Id: I1b0fee7df802f6cbd54acbb0bc73157e2b8bc7cf
New release depends on safe-html-types that is released under Apache 2
license: [1].
[1] https://github.com/google/safe-html-types
Change-Id: If46fcf6dd2e7ad7e2c6eac0906e5df0fa401b6cc
Move the definitions of the JGit repository and the artifact hashes into
the lib/jgit/jgit.bzl file so that when we change the JGit version we can
make all the necessary modifications in one place.
Change-Id: I4cb97481d62a57bfca960392d696aae3c95c6bb7
Per
https://www.bis.doc.gov/index.php/forms-documents/encryption/328-flowchart-2/file
open source crypto software can be self-classified as 5D002, and
requires only notification of the U.S. Bureau of Industry and
Security.
This registration has been performed by Google, as of Feb 15, 2017.
This gets rid of the special casing for BouncyCastle, simplifying our
build and deployment process.
Change-Id: I680b0a001e5e2e497ed6e62c90c8b8be30efff48
This was presumably fixed in Ia5e6b9791 and in I8b735db4f. It turns
out, that labels map is not null in GWT UI, as it is the case in PG,
but also non empty, even in non-voting case: Code-Review: 0.
Fix the optimization check to account for zero votes.
Bug: Issue 4638
Change-Id: I6d9a2cc42ec51e6b1df13b96cf4bcdd082c87f60
Having a standard tool for formatting saves reviewers' valuable time.
google-java-format is Google's standard formatter and is somewhat
inspired by gofmt[1]. This commit formats everything using
google-java-format version 1.2.
The downside of this one-off formatting is breaking blame. This can be
somewhat hacked around with a tool like git-hyper-blame[2], but it's
definitely not optimal until/unless this kind of feature makes its way
to git core.
Not in this change:
* Tool support, e.g. Eclipse. The command must be run manually [3].
* Documentation of best practice, e.g. new 100-column default.
[1] https://talks.golang.org/2015/gofmt-en.slide#3
[2] https://commondatastorage.googleapis.com/chrome-infra-docs/flat/depot_tools/docs/html/git-hyper-blame.html
[3] git ls-files | grep java$ | xargs google-java-format -i
Change-Id: Id5f3c6de95ce0b68b41f0a478b5c99a93675aaa3
Signed-off-by: David Pursehouse <dpursehouse@collab.net>
The 'seed' packages are the ones whose versions are set by us in
WORKSPACE. We should not set the versions for the rest of the packages
in the bower input JSON, so bower can suggest the right versions to
use.
Change-Id: I9b75f16655d049e2064726862980a339c91dd534
In the definition of //lib/powermock:powermock the dependency to
@powermock_core//jar was missing.
Change-Id: I4055085592ad556e7b1da730344b7e48460be7af
This snapshot includes several fixes since the release, including some
improvements in LFS support:
d3148f300 Make ObjectDownloadListener public
55c629a9f LfsProtocolServlet#LfsRequest: Add operation type helper methods
56fe21778 Expose LFS operation strings as public constants
590141163 LfsProtocolServlet: Improve error on getLargeFileRepository failure
7245aa031 Add support for refusing LFS request due to invalid authorization
0e187f148 Add LfsPointerFilter TreeFilter
Change-Id: Ib3cd9d8677b6c6017becc5c46e7fa4dfc5192807
Change-Id: Ibd58603e6c1975c883dbf9f1d115e03a25467774
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Signed-off-by: David Pursehouse <dpursehouse@collab.net>
Highlights include:
- New themes duotone-light and duotone-dark
- Various small fixes to language modes
Change-Id: I632cc2dd3815767293ea9638b0551f7a98f330b2
$ git log --oneline v1.16..v1.17
09ada04 Version 1.17
4ce1c32 JdbcAccess: Defer exceptions when in a transaction
b46ab3e Incorporate table into H2 column constraint name
0bfc2e3 Start 1.17
Change-Id: Iee0002cbc74678cac53c1931acf1bea92ef25c7e
Remove unnecessary java_library rule wrapper around another
java_library defined through maven_jar rule.
Change-Id: I197df73f8944b9d17c7738c036035b2daccd8e61
