This includes a fix to stop using google fonts external resource
and rather use local fonts.
Bug: Issue 11993
Change-Id: I731e54ca872a2430461bc4de7d3c2dfe6d56062e
* stable-2.15:
Bump Mina core to 2.0.16 and sshd to 1.4
Switch to java 8
Set version to 2.13.14-SNAPSHOT
Elasticsearch: Update rest client and test container to 6.7.1
Switch links in js.bzl to https
Update bower to 1.8.8
Change-Id: I8d97532289423ad626d015056ac245fd6c95782a
Required by the image-diff plugin.
There does not seem to be any easy way to add bower dependencies inside
plugins without adding them to core.
Building image-diff never seemed to work for a normal user. Im not
entirely sure how google got it working.
Bug: Issue 9911
Change-Id: I08499c86e236a1c3861b78ba698dbd4a3bc811d8
(cherry picked from commit cb76de7e1728108632d7c377dfbd61885001620d)
New rule uses polymer-bundler instead of deprecated vulcanize.
Also use this rule to package UI plugins.
Also for combining PolyGerrit UI.
Feature: Issue 7144
Change-Id: I17380c670fe4a980dc9748b356e7df18aebdb4ca
* stable-2.14:
Apply buildifier to .bzl files.
Update Bower to 1.8.2
Bump commons-io version to 2.2
Change-Id: Ic90865db76a0e34f0f8fef33b83ec7b2fd75c875
Buildifier is now also used for formatting .bzl files.
This change was created by running buildifier 0.12 over our source tree.
Change-Id: I9f15112d4fe23e5cec0700cfe47f1ca649f61d2a
Buildifier is now also used for formatting .bzl files.
This change was created by running buildifier 0.12 over our source tree.
Change-Id: I9f15112d4fe23e5cec0700cfe47f1ca649f61d2a
This reverts commit a7f0e62938b723556a529e5cba05e5ada0e6aa2b.
The //lib/js:highlightjs in
//polygerrit-ui:polygerrit_components.bower_components appeared to be
unused because the library is specially inserted into the PG app bundle
in polygerrit-ui/app/rules.bzl. However, it was used by development
servers such as the WAR using --polygerrit-dev or by the run-server.sh
proxy.
Bug: Issue 8777
Change-Id: Ie1467ed9bc9f7e011c870629ba1c9390fa0c9559
As indicated in the comment in the bower_component_bundle, this is not
required to be part of the bundle, and is copied directly into the
output zip. Unlike other bower components, this one is intended to be
served from a separate file and loaded on demand, to decrease initial
page load time.
Change-Id: I97a7fbbb7755a10250abf2610c33ed9bcdf73167
This also requires a small css change because in 2.0 paper-button
applies --paper-font-common-base mixin which ends up setting the font to
roboto and not roboto-medium as is currently implemented in gerrit.
Change-Id: Ie52232eb95bc2c2f21f3802bd983cbc45cf697d7
Adding this dependency to WORKSPACE allows a plugin (codemirror-editor)
to load it in a descendant change.
Bug: Issue 4437
Change-Id: I6cf5a55a21c6e749215ef91e895554444e49b657
Move the definitions of NPM_VERSIONS and NPM_SHA1S into a separate .bzl
file in the /lib folder so that upgrades to the NPM components (bower,
crisper, vulcanize) require the Library-Compliance label to be set.
Change-Id: I691bb4fbdeeba2f1b05753310a8673febbfb6786
This will be used for material input elements, beginning with a
refreshed gr-editable-label
Also updates version of polymer-resin, which is required for paper-input
to not throw an error.
Change-Id: Ib17c3672e404914eaca2b97d633cc38f398bce0b
A few of the bower dependencies were outdated compared to those used by
googlesource. There was a noticable difference for the better in the
updated iron-overlay-behavior, in that the top menu scrolls with the
page when opened in the updated version, but not in the previous
version.
Change-Id: Ib7697f8a86132d667f180129d319b4f7d437ff3a
This will be used in a new dropdown element that will replace some
existing dropdown elements, including and beginning with the patch range
selector.
Change-Id: Ia5b3275b34578e27f122edb10566a41fbb2c3f4a
Previously, bower2bazel tried to fetch whatever was registered in
bower with the package name. If the package author was specified it was
ignored. There was an issue with installing a new package (paper-button)
in which bower tried to fetch the wrong dependency. (paper-ripple).
This change updates the package to use the original source, so that the
bower-archives file looks like:
bower_archive(
name = "paper-ripple",
package = "polymerelements/paper-ripple",
version = "1.0.10",
sha1 = "21199db50d02b842da54bd6f4f1d1b10b474e893")
Change-Id: I4d1f797a86bd80e8b9cf119e21ee7c2f5387b77e
This version contains (at least part) of a fix for bug 6500, in which
the commit message editor resized when it shouldn't. This is already
the version that the (next version of) gerrit-review will build with,
but want to make sure upstream is in sync.
Bug: Issue 6500
Change-Id: I40e83da3cfca557309afb7faa8fec8632f18b6e7
This reverts commit 37636a62564b09df8d8e4e48828b72afdf817bb0.
Reason for revert: The googlesource.com environment is not ready for
this yet.
I didn't realize that we couldn't yet use the hybrid version of the
elements in google3 yet. They exist in the polymer2 directory, but
apparently that depends on using polymer2. This change will need to be
reverted until iron-input v1 is updated to get the polymer2 "hybrid"
version.
Change-Id: Ibeeae2458337b0a225993e12b043b1e65c3c4c04
This version is compatible with Polymer 1 and Polymer 2, but required
for Polymer 2.
Elements that were formerly
<input is="iron-input>
are now
<iron-input>
<input>
</iron-input>
There are a few scenarios in which inputs were not using two way data
binding, which is the reason for using iron-input, and those have been
modified back to a native input.
With the updated iron-input to access the native input, there is an
'inputElement' getter function, which is used heavily in this update.
Also of note, in many tests, it is required to wrap Polymer.Base.async,
which is necessary because the mutation observer is async:
https://github.com/PolymerElements/iron-input/blob/master/test/iron-input.html
Also modifies polylint_test to explicitly ignore bower_components.
Change-Id: I75f7fa1bb0c00837f631f6e1043e15a3270b9bce
This is attempt 3 at rolling-forward c/106190
New Dependency
==============
This adds polymer-resin as a bower archive.
See `bower info polymer-resin\#1.2.6-beta` for details.
Polymer-resin is part of the larger polymer project so is
license compatible.
Integration
===========
The main application element, app/elements/gr-app.html, now HTML
imports polymer-resin per
github.com/Polymer/polymer-resin/blob/master/getting-started.md#loading
It uses the following configuration:
1. All dynamic IDs are allowed.
2. Policy violation reports are sent to the dev console.
test/common-test-setup.html does the same so that tests are run in the
same environment.
Testing
=======
1. Running local tests
gerrit $ ./polygerrit-ui/app/run_tests.sh
With 1.2.6-beta tests run green on (Chrome, Firefox, Safari).
2. Testing for false positives
I ran two servers.
a. polygerrit-ui/run_server.sh
b. gerrit.war per https://git.eclipse.org/r/Documentation/dev-readme.html
I noticed that in both the dev console showed 'initResin' early and
paging around showed no violation reports.
3. Testing for true negatives
I patched in the diff at the end of this description, and reran
both server environments.
I noted that browsing to localhost:8081/#javascript:alert(1)
and localhost:8080/#javascript:alert(1) both showed a
violation report about javascript:alert(1) being rejected.
Clicking Changes / XSS did not result in a popup.
Differences
===========
This loads the non-debug version but configured with a console reporter
so should minimize code size and speed overhead.
This loads via gr-app so the input is automatically vulcanized.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -56,6 +56,11 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ { // HACK DO NOT SUBMIT
+ url: (location.hash && location.hash.replace(/^#/, ''))
+ || '/echoes_hash',
+ name: 'XSS',
+ },
],
}];
--- a/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
+++ b/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
@@ -93,6 +93,7 @@
},
_computeRelativeURL(path) {
+if (path && /^\w+\:/.test(path)) { return path; } // HACK DO NOT SUBMIT
const host = window.location.host;
return this._computeURLHelper(host, path);
},
Change-Id: I38bfa124abd4fb35972833f29fc1664ec2404e34
This is a partial roll-forward of c/106190.
It adds a dependency on the latest version of polymer-resin.
Later CLs will actually use this dependency.
Change-Id: I3cf5f9c823d74da58a8b1326153a672959fa3f13
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.mdhttps://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
The 'seed' packages are the ones whose versions are set by us in
WORKSPACE. We should not set the versions for the rest of the packages
in the bower input JSON, so bower can suggest the right versions to
use.
Change-Id: I9b75f16655d049e2064726862980a339c91dd534
Instead, use a hard-coded map of licenses.
Hardcode a false dependency on diff-match-patch to avoid a diff for
the Apache2.0 license.
Tested:
bazel build Documentation:js_licenses.txt
buck build Documentation:js_licenses.txt
diff -u buck-out/gen/Documentation/js_licenses.txt/js_licenses.txt \
bazel-genfiles/Documentation/js_licenses.txt
diff shows only diffs for added [[header]] anchors.
Change-Id: I7886e1fadec900cf854a1b3b7c538b83d66af7a4
Reformat the Bazel build files with the buildifier tool [1].
The style is different for Bazel files. Most notably, indentation level
is 4 spaces instead of 2, and " is used instead of '.
[1] https://github.com/bazelbuild/buildifier
Change-Id: I95c0c6f11b6d76572797853b4ebb5cee5ebd3c98
