This is a partial roll-forward of c/106190.
It adds a dependency on the latest version of polymer-resin.
Later CLs will actually use this dependency.
Change-Id: I3cf5f9c823d74da58a8b1326153a672959fa3f13
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.mdhttps://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
Bump rules_closure version to this commit[1], that allows us to pass
--force_inject_library=es6_runtime to closure compiler, that fixes
missing injection of ES6 dependency with optimization level whitespace.
One side effect of this change: because of the recently made change in
rules_closure rules of how the external dependencies are consumed, we
cannot reuse some common dependencies that were already fetched during
gerrit build and must re-fetch them again, most notably:
* asm
* gson
* guava
* guice
* soy
The bad news here is, that re-fetching takes place with rules_closure's
java_import_external rule, that is not using our own download_file.py
utility and thus the artifacts are not cached in ~/.gerritcodereview
directory, so that when the build is repeated on the same machine but on
different clone of gerrit repository all rules_closure dependencies
are going to be re-fetched again.
Another complication of re-fetching is that the different versions of
the artifacts are now fetched: e.g. Gerrit is using guava 21, and
closure rule is using guava 20. The reason why we don't have the
collision here is because gerrit mounts this dependency under @guava
directory, whereas rules_closure is using canonical artifact name, so
that we get:
* external/com_google_guava/guava-20.0.jar # fetched by rules_closure
* external/guava/jar/guava-21.0.jar # fetched by gerrit
Test Plan:
1. conduct ES6 modification, e.g. apply this CL: [2]
2. run bazel build gerrit
3. verify that transpiled code actually work
[1] f68d4b5a55
[2] https://gerrit-review.googlesource.com/105104
Bug: Issue 6110
Change-Id: I3f3adf8ce5e613d45d1d0684b823e48e68a14080
Lucene version 5.5.4 includes several bug fixes [1].
We need to upgrade Elasticsearch at the same time because it has a hard
runtime dependency on the Lucene version. Version 2.4.5 of Elasticsearch
uses Lucene 5.5.4.
[1] https://lucene.apache.org/core/5_5_4/changes/Changes.html
Change-Id: I03bf09c1170db2a57b2e90722898920c2fbe4aaf
Utilize the Closure compiler in Bazel to transpile. As part of this, a
rather large file of 'externs' must be added in order to call external
code. This file is specific to Polymer and copied from the Closure
Github, and should be synced any time there are major changes to
Polymer.
Test Plan:
- run `bazel build polygerrit` and verify that whitespaces are removed
from resulting gr-app.js file
- run `bazel build Documentation:licenses.txt` and verify that the new
dependency is listed in resulting
bazel-genfiles/Documentation/licenses.txt
TODO in later changes:
- Get closure optimizations working
- Explore sourcemaps possibilities
- Maybe use closure linting?
Change-Id: Ic358743dda7286fea3ac1e95a7991a92c96d6341
* stable-2.14:
PluginLoader: Remove stale plugin files from /tmp on startup
Format Java files with google-java-format
Update blame-cache to 0.2-1
Set version to 2.13.8
Upgrade JGit to 4.5.2.201704071617-r
Change-Id: Ia27737010984ba58ff74c844aa252d9b7adffbad
v1.0.3 is 5+ years old and no longer receiving updates. Switch to a
supported version. We make only minimal use of this library and the
usage we do have is backwards compatible.
Change-Id: Ibbbd49a806b1df312f2166faa38fc519113b6b38
This aligns Gerrit with the version of Jetty used in JGit since [1].
[1] https://git.eclipse.org/r/#/c/94257/
Change-Id: I5c847d30476862d879df4508e8cc51489cd3389c
Version 1.6 upgrades the TLD list to version 2017020400 [1].
The version available at the IANA site [2] at the time of writing
this commit is 2017032102. Prior versions are not provided. Update
the test data to this later version, commenting out the only TLD
that is not supported in 2017020400 ("AFRICA").
[1] fe29c2dd86
[2] http://data.iana.org/TLD/tlds-alpha-by-domain.txt
Change-Id: I2fb3fbc6e4db205d0a1aafdbc6b73a91b2e844ed
In SSHD 1.4 security providers infra-structure was overhauled in order
to add support for pluggable providers. It's possible that regressions
were introduced or some kind of class loading race conditions.
Since the upgrade Gerrit cannot be started when file systems with zip
PolyGerrit fonts and bower components are used. Given that Gerrit code
doesn't depend on supporting sftp://xxxx URLs' we can exclude the file
system provider. Once this upstream issue: [1] is fixed, we can remove
the exclusion again.
[1] https://issues.apache.org/jira/browse/SSHD-736
Bug: Issue 5905
Change-Id: Ib273ae50924c26949b037d9f2419471209c6ad36
BouncyCastle is now bundled in the release war file, and is no longer
included in libraries.config.
Change-Id: Ie2b76630676f11998166148d80ee7548bc61c583
* stable-2.14:
Upgrade metrics-core to 3.2.2
ArchiveFormat: Don't use deprecated ArchiveCommand.Format#putEntry
Upgrade JGit to 4.6.1.201703071140-r.149-g61f830d3a
Simplify local JGit development
Consume JGit from development tree: Add missing dependency
Change-Id: I11641b024e9e141f6ef119d9a4300dbb316f13b4
Put all the logic in jgit.bzl, where a single edit suffices to get
the local flavor.
Given that all sha1 for jgit dependencies are in jgit.bzl, we can
remove the constants and use sha1 values directly.
Change-Id: Icabf651e02f226e5c025457d54588074a11ae283
To run the tests, hamcrest_library is needed for jgit project and
because of this issue: [1], bazel tries to resolve this external
dependency in gerrit project. Add hamcrest library to WORKSPACE file.
Test Plan:
* switch to using JGit from the development tree
* run the tests:
bazel test --define jgit-dev=1 //...
[1] https://github.com/bazelbuild/bazel/issues/2391
Change-Id: I0fd16c26a6048aa1c852cf097cfca4ab230d0496
Put all the logic in jgit.bzl, where a single edit suffices to get
the local flavor.
Given that all sha1 for jgit dependencies are in jgit.bzl, we can
remove the constants and use sha1 values directly.
Change-Id: Icabf651e02f226e5c025457d54588074a11ae283
To run the tests, hamcrest_library is needed for jgit project and
because of this issue: [1], bazel tries to resolve this external
dependency in gerrit project. Add hamcrest library to WORKSPACE file.
Test Plan:
* switch to using JGit from the development tree
* run the tests:
bazel test --define jgit-dev=1 //...
[1] https://github.com/bazelbuild/bazel/issues/2391
Change-Id: I0fd16c26a6048aa1c852cf097cfca4ab230d0496
Now that Bazel build for JGit is fully implemented, we can document
the process of routing the JGit dependency to the development tree
instead of consuming it from Central or ~/.m2 local repository:
1. Activate local jgit repository in WORKSPACE file:
local_repository(
name = "jgit",
path = "/home/<user>/projects/jgit",
)
2. Uncomment alias to jgit repository in lib/jgit/**/BUILD files.
It shouldn't be needed and is tracked under this issue upstream: [1]:
alias(
name = "jgit-alias",
actual = select({
"@//lib:jgit-dev": "@jgit//org.eclipse.jgit:jgit",
"//conditions:default": "@jgit_lib//jar",
}),
visibility = ["//visibility:public"],
)
Test plan:
Update local JGit tree, run tests and verify that local JGit tree
modifications are relfected in gerrit build:
$ bazel build --define jgit-dev=1 headless
To consume JGit from Central, do not pass jgit-dev=1:
$ bazel test ...
[1] https://github.com/bazelbuild/bazel/issues/2707
Change-Id: I1b0fee7df802f6cbd54acbb0bc73157e2b8bc7cf
