polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.mdhttps://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
Inline scrollbars are invisible until scrolling starts, or, for
ChromeOS, scrollbar area is hovered.
When scrollbar appears, it overlaps last line of diff.
This change adds a padding to prevent scrollbar overlapping last line of
diff.
Bug: Issue 5964
Change-Id: I072f8e8a4d4d2750f122bc6177b8db492b258f5f
Noteworthy decisions:
- Preferences are hidden when diff prefs are not loaded or the user is not
logged in.
- Preferences are hidden on small screens
- The trigger button is in gr-change-view but the gr-diff-preferences
is part of gr-file-list. This is because gr-file-list because diff
preferences and local preferences are more closely tied with that
than the change view. In order to put it in the change view, local
prefs would also have to be two-way bound back.
Also fixes computePrefsButtonHidden in gr-diff-view as well. The
function did not work as intended before. If preferences didn't exist,
the function would not get called, and the container would not be
hidden.
Bug: Issue 5426
Change-Id: I361cdf132c6e15b5ae2f15e62af318cfa05161ce
When loading image diffs as API support for parent-indexed change files
rolls out, request the fast version first and fall back to the existing,
slower version if that fails.
Bug: Issue 5751
Change-Id: I1d3916e2fdfda66a7925825c6b3fbfbf178b4c36
Runtime errors occurred when image diffs showed added or removed images
(as opposed to modified images). With this change, test cases are added
to encode behavior against future regressions, and diff builder logic is
updated to avoid the error.
Bug: Issue 5995
Change-Id: If04220256074dac245b971e6229f0dae4a175689
Adds the header section to the diff. The header is only displayed when
relevant information is contained within, e.g. when a file is renamed
but otherwise left unchanged.
Feature: Issue 5752
Change-Id: I5f8cb56522decd8d3c57bb403cb43f87203d5c6a
Previously there were times when binary data from an image diff would
display. This change adds a check in the diff processor for image diffs
and does not display anything other than the file line in that case.
This change also addresses an issue where the label is calculated too
soon. The image size (if it exists) is supposed to be included as part
of the label, but often this was calculated before the image was done
rendering, so it didn't display.
Bug: Issue 5887
Change-Id: I9cd1ad0c3f2603492d7d84892147bd6852bbae29
Show "Error: not logged in" error toast with a "Log in" link when one of
the following actions taken while not being logged in:
- reply hotkey pressed (A)
- create comment hotkey pressed (C)
Bug: Issue 4818
Change-Id: I4ceaf12888b8cb2aae9da7ab2fdd47eb409dd984
Previously, there was an issue where if you create a draft comment in
side by side view and switch to unified view, the comment thinks it's in
the later patch set rather than the earlier one and a second copy gets
added to local storage with the later patchset as a component of the
key.
This was because the the thread group assumed all threads inside of it
had the same patch number. This change fixes that, so in the event that
a user switches from side by side to unified, the patch number will get
taken from the comment rather than the thread group.
Bug: Issue 5493
Change-Id: I7f00997bcb2e6f1001a5d58ac206acf5af3367d2
Changes with large numbers of files could overwhelm PolyGerrit when a
user selects [Expand all] for inline diffs. This was because the
asynchronous processing/rendering/annotating process would be kicked off
for all unexpanded diffs simultaneously, resulting in browser lock-up
and general slowness even after rendering had completed.
With this change, inline diffs are rendered in serial rather than
parallel. In this way the benefits of the async features of diff
rendering extend to the file list, even for changes with many large
diffs (such as the one in the linked issue).
With this change, the `__expanded` property is removed from file objects
in GR-FILE-LIST. Instead, that element maintains a list
(`_expandedFilePaths`) which records the same information. Because the
expanded files are recorded in a list, however, splices on the list can
be observed, batch diff expansion can be handled sequentially.
Tests are updated to respect the new expanded paths list.
Bug: Issue 5396
Change-Id: Ib83ff5157177e1c890db8a82fbc25df8fecbe065
Goes along with c/95273/. Adds commentSide attribute to comments to see
which side of the diff view they belong on. This is also used as part
of the locationRange for the gr-diff-comment-thread-group, so that two
thread groups can be on the same line or range for the unified group (
one for the right, one for the left).
Note: there is already a 'side' attribute on the gr-diff-comment, which
is confusing. This side actually references 'PARENT' or 'REVISION', to
identify whether the comment belongs to the parent or any revision. On
diffs where two revisions are compared to each other, this cannot be
used to determine left/right. However, because 'side' is part of
the CommentInfo entity[1], it is difficult to change the name and make
more sense out of that.
[1] https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#comment-info
Bug: Issue 5114
Change-Id: I5cc4c17d4bb134e31e5cc07ff9b08ed349488c97
- Add concept of diff comment thread groups, which are all of the
threads at a particular line number.
- The thread group is responsible for breaking up comments into threads
based on the range of the comment.
- Thread groups are ordered by the updated time of the first comment in
the group.
- Thread groups are given a key, based on comment range, which is used
to determine what thread group a new comment should go in (or if it
needs a new one).
Feature: Issue 5292
Change-Id: If544e8bb879262de3ce5397e86124837b66ada04
This change adds an API request to get robot comments for displaying
inline in the diff view. They are styled in a different color, contain
build and robotId information, and a "please fix" action rather than the
standard set of actions.
Feature: Issue 5089
Change-Id: I1f5954a2ed01920bb7c3dc897e3285687ff7d3ca
Previously, the line marker was only subtly visible by the highlighted
line number. This change adds a bottom border to the selected line if
the user is using keycodes (j, k, up, down) to more the cursor. When
the escape key is pressed, the distinguished line marker will dissapear.
Feature: Issue 4739
Change-Id: If8c751efc137ef87cfdad1c8bf7d905de1219107
+ These were slowing down tests in cases where it would actually hit a
live server, potentially adding the latency from the network to the
test.
+ Other fixes involve removing unused imports of util.js amongst other
small tweaks/fixes.
Bug: Issue 4016
Change-Id: I442deefebeffc6a701e4922faccfe1c74b3a35b6
If a file is too large for the server to deliver the diff, the API will
respond with HTTP 409. PolyGerrit interprets th this as a network error
and covers the entire page with an error message. Furthermore, the
handler for loading the diff is not written for this kind of failure and
tries to dereference the diff object -- null in that case.
With this change, the 409 message does not block use of the whole page
and the handler does not break when the diff is null.
Issue: Bug 4770
Change-Id: I68fe50c474fc03d4217e969649f62df38ca5b632
Refactors bindings in file lists to change the expanded state of a diff
using a property name that does not collide with the hidden attribute.
Change-Id: I7f7e38a910a8d4dd19be2d591033be6f6d3cb7a1
This commit enables the user to manually expand individual diffs
inline in the file list of the change view.
Bug: Issue 4382
Change-Id: I87d5af9971fed3aa5e1eb64523f4623a5ff2ac8d
When a user taps a line number in a diff, the cursor is moved to that
line and that side of the diff. However, if the user taps the text
content of a diff, the cursor was not moved. With this change, the
cursor is moved to the appropriate line and side of a diff when either
is tapped.
Bug: Issue 4215
Change-Id: I47d24f678f487eb3f8173ea5572865a589d845e4
This reverts commit 56689af0f92ce13f90ff9369544c5f9cc0412f09.
Reason for revert: This change broke adding draft comments in the diff
view.
Change-Id: Icfbd3eb4e24cce3e1690e7eaf12e14e5705c7e3e
Fixing UI data pipe line, re-rendering:
- side, draft text and editing status in UI comment objects
- update gr-diff UI model on comment save/update
Feature: Issue 3910
Change-Id: I96f714c7de9add6e316dcf64bb7d566690b9d3ae
If gr-diff recognizes that the file difference it's representing is
between images, it uses a different diff-builder that displays images
in a side-by-side-manner. In this case gr-diff will also make requests
for the image data itself, which it can pass down into the image-based
diff-builder.
Adds methods to gr-rest-api-interface to support rendering the data
relevant to image diffs. For images that are revisions of the current
change, provides "getChangeFileContents". For images that come from the
parent tree (i.e. if the basePatchNum is "PARENT") the interface
provides "getCommitInfo" to determine the SHA of the parent commit, and
"getCommitFileContents" which can get file contents for a given commit.
Bug: Issue 3822
Change-Id: I9be025b4e549fca97c87cdbeede6cb64dea5eac0
+ Cleans up interface for grouping comments within
gr-rest-api-interface.
+ Removes gr-diff’s dep on gr-ajax and rest-client-behavior.
Change-Id: Idea54a38fa5d0b136ff00b7ec7322bd24ad5d1bd
Tests which are using 'element#async' are wonky in Safari.
'flush' is also the documented way of testing dom manipulations.
Change-Id: I3ea99c7c80c952fa1c15bbd6289690e57bf8414b
+ Replace use of gr-ajax for retrieving the diff in gr-diff.
+ Add opt_params to fetchJSON so that query parameters can be
passed.
Change-Id: Iaa77c4082d6e83099e23f49205d859a5c938dd31
