This is a partial roll-forward of c/106190.
It adds a dependency on the latest version of polymer-resin.
Later CLs will actually use this dependency.
Change-Id: I3cf5f9c823d74da58a8b1326153a672959fa3f13
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.mdhttps://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
The 'seed' packages are the ones whose versions are set by us in
WORKSPACE. We should not set the versions for the rest of the packages
in the bower input JSON, so bower can suggest the right versions to
use.
Change-Id: I9b75f16655d049e2064726862980a339c91dd534
Instead, use a hard-coded map of licenses.
Hardcode a false dependency on diff-match-patch to avoid a diff for
the Apache2.0 license.
Tested:
bazel build Documentation:js_licenses.txt
buck build Documentation:js_licenses.txt
diff -u buck-out/gen/Documentation/js_licenses.txt/js_licenses.txt \
bazel-genfiles/Documentation/js_licenses.txt
diff shows only diffs for added [[header]] anchors.
Change-Id: I7886e1fadec900cf854a1b3b7c538b83d66af7a4
Reformat the Bazel build files with the buildifier tool [1].
The style is different for Bazel files. Most notably, indentation level
is 4 spaces instead of 2, and " is used instead of '.
[1] https://github.com/bazelbuild/buildifier
Change-Id: I95c0c6f11b6d76572797853b4ebb5cee5ebd3c98
Introduces the gr-syntax-layer element. This element works as an
annotation layer that is configured with the diff and asynchronously
computes/applies syntax for the diff.
Introduces a custom build of Highlight.js which gr-syntax-layer makes
use of. Building the script is documented in
scripts/vendor/highlight/building.md.
The layer is connected to the annotation pipeline in gr-diff-builder as
the lowest layer and syntax processing is triggered only after a diff
has been completely rendered.
A number of styles are added to the gr-diff element for syntax markers.
Tests added for gr-syntax-layer.
Bug: Issue 3916
Change-Id: Ic33e40f4fe39dfce1a62de133cfaf32be5e3f25a
- include 'web-component-tester' bower dependency as test-dependency
- remove special handling for serving folder 'bower_components'
- add support for passing parameters from 'run-server.sh' to 'server.go'
Change-Id: Ia74b3013e07b6304a4df568b081254909749efc5
Additionally fix a bug in bower2buck.py where it would
bail when a license is not specified in a Bower package
info response.
[1] http://caniuse.com/#feat=fetch
[2] http://github.github.io/fetch/
Change-Id: Ibf754aab98bab6e34b7a9fb5d6c9801bb612f5d5
+ Also update iron-test-helpers to 1.1.5 to be able to use
modifiers in fake key events.
Bug: Issue 3925
Change-Id: I41ce2efe0b5df63a2a637e0942a97e9dafc432f9
This implements basic functionality for draft CRUD operations.
There are a few things that are TBD:
+ Layout edge cases within the diff view.
+ Reply/Done actions in threads.
+ Not allowing the user to add drafts if logged out.
+ I’m sure a few more things...
Feature: Issue 3649
Change-Id: Ia7419eecee5d5b20e73e17241990d7a7ffede0e8
web-animations is weird because it can be referred to either as
'web-animations' or 'web-animations/web-animations-js'. Manually
entering it as the former confuses bower2buck when it's referred to
elsewhere as the latter.
Run bower2buck to normalize the current contents.
Band-aid the situation for now, and jot down some of my ideas for
fixing when I find the time.
Change-Id: I64ae3c376df7b83008462c663de4a3998749c365
So that the user can see which account they're using, switch
accounts, and logout.
Feature: Issue 3693
Change-Id: I08ff42653f78c4a2c496d1a329d3eb26318ca32d
This implements the minimum required keyboard shortcuts for
the MVP. All other changes are made to support these
shortcuts working properly.
The reasoning behind moving to iron-a11y-keys-behavior is
that the iron-a11y-keys element didn't support [ and ] as
keyboard shortcuts (oddly).
Feature: Issue 3647
Change-Id: I6473a962811c19f78ba4f6829e644d7b3cbeffc7
Instead of requiring a target, default to //polygerrit-ui/...; this
package and subpackages have several bower_components rules, and
using all of them is most likely to produce all the existing rules in
lib/js/BUCK.
Rewrite instructions in lib/js/BUCK so they are more copy-and-
pasteable. Add instructions to the generated new BUCK file on how to
merge with an existing BUCK file.
Normalize the existing package names so there's less delta on each
diff.
Change-Id: I5f46d4d06d6aaacf40c9a7771eec6e85710093e1
Since Buck has no native support for web tests, wrap the tests in a
Python shim that calls wct. As in other Polymer cases, we need to
prepare a set of inputs and create a directory containing exactly what
wct expects to be there. Buck exposes resources to python_tests using
the pkg_resources API, which is cumbersome to use, and easier just to
ship around zip files as we do elsewhere.
Unlike other npm binaries we've encountered, the web-component-tester
module has numerous native dependencies, up to and including Selenium.
Rather than get in the game of distributing platform-specific
binaries, punt and require `wct` to be on the user's $PATH for now.
Tests are currently excluded in .buckconfig but can be run directly
with either:
buck test //polygerrit-ui/app:polygerrit_tests
buck test --include web
Change-Id: Ia314213925ac27ff271374a96ed539fb2acf0187
This script merges dependencies of a bower_components rule into a
synthetic bower.json, then runs bower install to evaluate the version
rules and install packages locally. It walks through the downloaded
.bower.json files to produce new bower_component rules to put back in
lib/js/BUCK.
Change-Id: Iaea0b0a54ca4305ce40accf5924cd12fbf07b0d8
We were passing the wrong directory name, resulting in hashing a
nonexistent directory and all components having the same SHA-1.
Unfortunately os.walk succeeds silently in this case.
Move hash_dir and hash_file to util so they can be used by other
scripts. (Migration of existing hashfile implementations will come
later.)
Restructure the main function to look a little more like the logic in
download_file.py, where we download to the cached location first and
then copy it after.
Fix all the broken SHA-1s in lib/js/BUCK.
Change-Id: I58bc62f84b62169bf18695a6a6704c989036c4f6
Combine bower components by unzipping their bower_components
directories including transitive dependencies over each other.
Change-Id: Ib1792ba0b17999b7df60babf6ce6a59c292c3eca
Iron-ajax 1.0.9 added `json-prefix` attribute handling that we need for
vulcanized PolyGerrit to work.
Change-Id: I7ffb545f1d54faab1fdd54088311d48c45f2f129
Add support for downloading npm binaries including dependencies and
running them in buck genrules. In npm land, transitive dependencies
are generally included in the package distribution, and there are a
*lot* of them. Since we aren't redistributing these binaries and
they're only part of the build process, we don't have to worry too
much about licensing, only that they don't have anything totally
crazy.
We assume packages have a certain format and we can detect the binary
to run from the genrule output filename. Actually running the binary
is tricky as well, since we have to extract it first. But it might be
large, so we don't want to extract it on every invocation; and naive
extraction to a common location (in buck-out) is racy. So we need a
custom extractor scheme using atomic rename to make this work.
Download bower as an npm package and use it to download bower
packages. Bower packages can come from a variety of sources, usually
git repositories, so we can't simply use download_file. There is
additional logic in bower to read bower.json and strip out unneeded
files, so I didn't want to get into reimplementing that. The tricky
thing about bower is convincing it to avoid transitive dependencies so
we can let Buck handle parallelism and caching. To do this, we need to
read the package information from the upstream bower repository, and
explicitly ignore all listed dependencies when downloading.
We combine the flattened list of bower packages in a single
bower_components rule. It would be nice to have deps of each
bower_component so we didn't need to flatten these, but Buck genrules
don't have deps so this is a nonstarter. Considering we only expect to
have a single bower_components for the whole project, hopefully this
is not too onerous.
This change just gets us the bower_components directory. We still have
some work to do to use this from Gerrit. Plus even more work to
replace the gulpfile and actually package this stuff together into a
compiled JS app for the war distribution.
Change-Id: Id277d2d812ffcc3bce87ff00b5894bacdffc038e
