This reverts commit
* f5124487a4a5a1ac2146ffc9fad705fe1fa4237b (update to 5.27.2)
* 8edeb9e69c4aa14992f8b3224f8aa86349d05e6b (update to 5.26.0)
Reason for revert: This breaks the GWTUI in the google deployment in mysterious ways:
gerrit_ui-0.js:65354 Thu Jun 29 13:36:57 GMT+200 2017 Class$S735 SEVERE: (TypeError) :
Cannot read property 'attach' of undefined Class$S171: (TypeError) :
Cannot read property 'attach' of undefined at Unknown.keyMap(https://gerrit-review.googlesource.com/gerrit_ui/5DADEBC80EFC7449BFD80840CBA4A5CF.cache.js)
at Unknown.new CodeMirror$1(https://gerrit-review.googlesource.com/gerrit_ui/5DADEBC80EFC7449BFD80840CBA4A5CF.cache.js)
at Unknown.CodeMirror$1(https://gerrit-review.googlesource.com/gerrit_ui/5DADEBC80EFC7449BFD80840CBA4A5CF.cache.js)
at Unknown.newCM(gerrit_ui-7.js)
at Unknown.create_73(gerrit_ui-7.js)
at Unknown.newCm(gerrit_ui-2.js)
with the symptoms going away after a browser cache flush.
Our new library upgrade policy says that the upgrade window is already closed and this version does not provide any critical fixes.
Change-Id: I524608b6adf7f4276fc03ff9d8e91a779a9e9ae8
This is attempt 3 at rolling-forward c/106190
New Dependency
==============
This adds polymer-resin as a bower archive.
See `bower info polymer-resin\#1.2.6-beta` for details.
Polymer-resin is part of the larger polymer project so is
license compatible.
Integration
===========
The main application element, app/elements/gr-app.html, now HTML
imports polymer-resin per
github.com/Polymer/polymer-resin/blob/master/getting-started.md#loading
It uses the following configuration:
1. All dynamic IDs are allowed.
2. Policy violation reports are sent to the dev console.
test/common-test-setup.html does the same so that tests are run in the
same environment.
Testing
=======
1. Running local tests
gerrit $ ./polygerrit-ui/app/run_tests.sh
With 1.2.6-beta tests run green on (Chrome, Firefox, Safari).
2. Testing for false positives
I ran two servers.
a. polygerrit-ui/run_server.sh
b. gerrit.war per https://git.eclipse.org/r/Documentation/dev-readme.html
I noticed that in both the dev console showed 'initResin' early and
paging around showed no violation reports.
3. Testing for true negatives
I patched in the diff at the end of this description, and reran
both server environments.
I noted that browsing to localhost:8081/#javascript:alert(1)
and localhost:8080/#javascript:alert(1) both showed a
violation report about javascript:alert(1) being rejected.
Clicking Changes / XSS did not result in a popup.
Differences
===========
This loads the non-debug version but configured with a console reporter
so should minimize code size and speed overhead.
This loads via gr-app so the input is automatically vulcanized.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -56,6 +56,11 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ { // HACK DO NOT SUBMIT
+ url: (location.hash && location.hash.replace(/^#/, ''))
+ || '/echoes_hash',
+ name: 'XSS',
+ },
],
}];
--- a/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
+++ b/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
@@ -93,6 +93,7 @@
},
_computeRelativeURL(path) {
+if (path && /^\w+\:/.test(path)) { return path; } // HACK DO NOT SUBMIT
const host = window.location.host;
return this._computeURLHelper(host, path);
},
Change-Id: I38bfa124abd4fb35972833f29fc1664ec2404e34
This version includes new features, and several API changes, some
of which will require updates in Gerrit. Notably:
- Hashing.sha1 and Hashing.md5 are deprecated, although may still be
used.
- CheckedFuture is deprecated.
These will be fixed in follow-up commits.
See the release note [1] for more details.
[1] https://github.com/google/guava/wiki/Release22
Change-Id: I1627873503188596c9c921dde65340a29a5811e3
Swaps out Source Code Pro for Roboto Mono. In addition, modifies the
syntax highlighting theme for numbers and class selectors from the
darker #7F0055 to the ligher #9E0069 and removes the bold font weight
from the selector to better differentiate the selector, especially with
a red background color.
Bug: Issue 6021
Change-Id: I7588e9aa1ef0b2e4ccde8b7a5ed0c24e56760a11
Test fix was cherry-picked from fe494ed59ea1fb6258a13daf5c2bc250e56afde4
which was submitted on stable-2.14 when JGit was updated to
4.7.1.201706071930-r.
Change-Id: I16395936628d6f04668cc0adf9bd3eb6c7080394
This is a partial roll-forward of c/106190.
It adds a dependency on the latest version of polymer-resin.
Later CLs will actually use this dependency.
Change-Id: I3cf5f9c823d74da58a8b1326153a672959fa3f13
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.mdhttps://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
Some plugins, most notably owners-plugin, depend on prolog:common rule.
Given that this rule transitively depends on gerrit-server:server rule,
and this rule depends on virtually whole gerrit build graph, the final
plugin artifact contains effectively the whole gerrit war file content.
To fix that we expose prolog:common in plugin API. Moreover, adjust
prolog_cafe_library to not transitively depend on prolog runtime
library. We can do it, because gerrit-server already depends on it, so
that it's included in gerrit war anyway.
This change allows the owners-plugin to de-duplicate its size from 45 MB
to 1.5 MB only.
Change-Id: I8d7198a911c2da444c1822509988eda7d369af77
genrule2 exposes root and temp directpries, but these are not used in
this rule, so that we can just use native genrule.
Change-Id: Id1e56ba47bf04a73559ff84a7c8f69745a6b3129
Utilize the Closure compiler in Bazel to transpile. As part of this, a
rather large file of 'externs' must be added in order to call external
code. This file is specific to Polymer and copied from the Closure
Github, and should be synced any time there are major changes to
Polymer.
Test Plan:
- run `bazel build polygerrit` and verify that whitespaces are removed
from resulting gr-app.js file
- run `bazel build Documentation:licenses.txt` and verify that the new
dependency is listed in resulting
bazel-genfiles/Documentation/licenses.txt
TODO in later changes:
- Get closure optimizations working
- Explore sourcemaps possibilities
- Maybe use closure linting?
Change-Id: Ic358743dda7286fea3ac1e95a7991a92c96d6341
(cherry picked from commit 1ea918bd367c091fb4128ab33d8ca7c61cfe770c)
FileInputStream and FileOutputStream rely on finalize() method to ensure
resources are closed. This implies they are added to the finalizer queue
which causes additional work for the JVM GC process.
This is an open bug on the OpenJDK [1] and the recommended workaround is
to use the Files.newInputStream and Files.newOutputStream static methods
instead.
[1] https://bugs.openjdk.java.net/browse/JDK-8080225
Change-Id: I3cef6fcf198dde2be7cd15bded8d2fa247177654
Utilize the Closure compiler in Bazel to transpile. As part of this, a
rather large file of 'externs' must be added in order to call external
code. This file is specific to Polymer and copied from the Closure
Github, and should be synced any time there are major changes to
Polymer.
Test Plan:
- run `bazel build polygerrit` and verify that whitespaces are removed
from resulting gr-app.js file
- run `bazel build Documentation:licenses.txt` and verify that the new
dependency is listed in resulting
bazel-genfiles/Documentation/licenses.txt
TODO in later changes:
- Get closure optimizations working
- Explore sourcemaps possibilities
- Maybe use closure linting?
Change-Id: Ic358743dda7286fea3ac1e95a7991a92c96d6341
VERSION variable is not used any more in the ElasticSearch dependency
file, therefore we can remove it.
Change-Id: I0e9ed69a69976606d5db5e832023e85b5a06f4f1
We cannot shade bouncycastle in the plugin API. Still we need it to be
included in the gerrit.war, licenses file and Eclipse classpath.
Expose bouncycastle libraries in PLUGIN_TEST_DEPS constant, so that
the plugins don't need to change anything in tree build mode.
gerrit_api() bazlet in bazlets repository is extended too, so that the
plugins don't need to change anything in standalone build mode.
One side effect of this change, is that bouncycastle libraries are
now listed with neverlink suffix, e.g.:
* bouncycastle:bcprov-neverlink
Bug: Issue 5826
Change-Id: Idb8051e16b14e20c8dd528783ab297ee25707bb3
This is a snapshot of the latest head of JGit's master branch.
Jetty was changed to version 9.3.17.v20170317. This version change
will be done for Gerrit in a follow-up commit.
Change-Id: I19ca866f90b16260f72fdd9cdc97683031b48488
This snapshot includes numerous changes since the previous one.
There is currently nothing that we specifically need in this snapshot,
but it brings us closer to what will be in the upcoming 4.7.0 release
and will allow us to potentially catch any issues before release.
Change-Id: I4c3642eab4c1f1128e2e19cf656dee13270662e2
Put all the logic in jgit.bzl, where a single edit suffices to get
the local flavor.
Given that all sha1 for jgit dependencies are in jgit.bzl, we can
remove the constants and use sha1 values directly.
Change-Id: Icabf651e02f226e5c025457d54588074a11ae283
Now that Bazel build for JGit is fully implemented, we can document
the process of routing the JGit dependency to the development tree
instead of consuming it from Central or ~/.m2 local repository:
1. Activate local jgit repository in WORKSPACE file:
local_repository(
name = "jgit",
path = "/home/<user>/projects/jgit",
)
2. Uncomment alias to jgit repository in lib/jgit/**/BUILD files.
It shouldn't be needed and is tracked under this issue upstream: [1]:
alias(
name = "jgit-alias",
actual = select({
"@//lib:jgit-dev": "@jgit//org.eclipse.jgit:jgit",
"//conditions:default": "@jgit_lib//jar",
}),
visibility = ["//visibility:public"],
)
Test plan:
Update local JGit tree, run tests and verify that local JGit tree
modifications are relfected in gerrit build:
$ bazel build --define jgit-dev=1 headless
To consume JGit from Central, do not pass jgit-dev=1:
$ bazel test ...
[1] https://github.com/bazelbuild/bazel/issues/2707
Change-Id: I1b0fee7df802f6cbd54acbb0bc73157e2b8bc7cf
New release depends on safe-html-types that is released under Apache 2
license: [1].
[1] https://github.com/google/safe-html-types
Change-Id: If46fcf6dd2e7ad7e2c6eac0906e5df0fa401b6cc
Move the definitions of the JGit repository and the artifact hashes into
the lib/jgit/jgit.bzl file so that when we change the JGit version we can
make all the necessary modifications in one place.
Change-Id: I4cb97481d62a57bfca960392d696aae3c95c6bb7
Per
https://www.bis.doc.gov/index.php/forms-documents/encryption/328-flowchart-2/file
open source crypto software can be self-classified as 5D002, and
requires only notification of the U.S. Bureau of Industry and
Security.
This registration has been performed by Google, as of Feb 15, 2017.
This gets rid of the special casing for BouncyCastle, simplifying our
build and deployment process.
Change-Id: I680b0a001e5e2e497ed6e62c90c8b8be30efff48
