As indicated in the comment in the bower_component_bundle, this is not
required to be part of the bundle, and is copied directly into the
output zip. Unlike other bower components, this one is intended to be
served from a separate file and loaded on demand, to decrease initial
page load time.
Change-Id: I97a7fbbb7755a10250abf2610c33ed9bcdf73167
This also requires a small css change because in 2.0 paper-button
applies --paper-font-common-base mixin which ends up setting the font to
roboto and not roboto-medium as is currently implemented in gerrit.
Change-Id: Ie52232eb95bc2c2f21f3802bd983cbc45cf697d7
Adding this dependency to WORKSPACE allows a plugin (codemirror-editor)
to load it in a descendant change.
Bug: Issue 4437
Change-Id: I6cf5a55a21c6e749215ef91e895554444e49b657
Move the definitions of NPM_VERSIONS and NPM_SHA1S into a separate .bzl
file in the /lib folder so that upgrades to the NPM components (bower,
crisper, vulcanize) require the Library-Compliance label to be set.
Change-Id: I691bb4fbdeeba2f1b05753310a8673febbfb6786
This will be used for material input elements, beginning with a
refreshed gr-editable-label
Also updates version of polymer-resin, which is required for paper-input
to not throw an error.
Change-Id: Ib17c3672e404914eaca2b97d633cc38f398bce0b
A few of the bower dependencies were outdated compared to those used by
googlesource. There was a noticable difference for the better in the
updated iron-overlay-behavior, in that the top menu scrolls with the
page when opened in the updated version, but not in the previous
version.
Change-Id: Ib7697f8a86132d667f180129d319b4f7d437ff3a
This will be used in a new dropdown element that will replace some
existing dropdown elements, including and beginning with the patch range
selector.
Change-Id: Ia5b3275b34578e27f122edb10566a41fbb2c3f4a
Previously, bower2bazel tried to fetch whatever was registered in
bower with the package name. If the package author was specified it was
ignored. There was an issue with installing a new package (paper-button)
in which bower tried to fetch the wrong dependency. (paper-ripple).
This change updates the package to use the original source, so that the
bower-archives file looks like:
bower_archive(
name = "paper-ripple",
package = "polymerelements/paper-ripple",
version = "1.0.10",
sha1 = "21199db50d02b842da54bd6f4f1d1b10b474e893")
Change-Id: I4d1f797a86bd80e8b9cf119e21ee7c2f5387b77e
This version contains (at least part) of a fix for bug 6500, in which
the commit message editor resized when it shouldn't. This is already
the version that the (next version of) gerrit-review will build with,
but want to make sure upstream is in sync.
Bug: Issue 6500
Change-Id: I40e83da3cfca557309afb7faa8fec8632f18b6e7
This reverts commit 37636a62564b09df8d8e4e48828b72afdf817bb0.
Reason for revert: The googlesource.com environment is not ready for
this yet.
I didn't realize that we couldn't yet use the hybrid version of the
elements in google3 yet. They exist in the polymer2 directory, but
apparently that depends on using polymer2. This change will need to be
reverted until iron-input v1 is updated to get the polymer2 "hybrid"
version.
Change-Id: Ibeeae2458337b0a225993e12b043b1e65c3c4c04
This version is compatible with Polymer 1 and Polymer 2, but required
for Polymer 2.
Elements that were formerly
<input is="iron-input>
are now
<iron-input>
<input>
</iron-input>
There are a few scenarios in which inputs were not using two way data
binding, which is the reason for using iron-input, and those have been
modified back to a native input.
With the updated iron-input to access the native input, there is an
'inputElement' getter function, which is used heavily in this update.
Also of note, in many tests, it is required to wrap Polymer.Base.async,
which is necessary because the mutation observer is async:
https://github.com/PolymerElements/iron-input/blob/master/test/iron-input.html
Also modifies polylint_test to explicitly ignore bower_components.
Change-Id: I75f7fa1bb0c00837f631f6e1043e15a3270b9bce
This is attempt 3 at rolling-forward c/106190
New Dependency
==============
This adds polymer-resin as a bower archive.
See `bower info polymer-resin\#1.2.6-beta` for details.
Polymer-resin is part of the larger polymer project so is
license compatible.
Integration
===========
The main application element, app/elements/gr-app.html, now HTML
imports polymer-resin per
github.com/Polymer/polymer-resin/blob/master/getting-started.md#loading
It uses the following configuration:
1. All dynamic IDs are allowed.
2. Policy violation reports are sent to the dev console.
test/common-test-setup.html does the same so that tests are run in the
same environment.
Testing
=======
1. Running local tests
gerrit $ ./polygerrit-ui/app/run_tests.sh
With 1.2.6-beta tests run green on (Chrome, Firefox, Safari).
2. Testing for false positives
I ran two servers.
a. polygerrit-ui/run_server.sh
b. gerrit.war per https://git.eclipse.org/r/Documentation/dev-readme.html
I noticed that in both the dev console showed 'initResin' early and
paging around showed no violation reports.
3. Testing for true negatives
I patched in the diff at the end of this description, and reran
both server environments.
I noted that browsing to localhost:8081/#javascript:alert(1)
and localhost:8080/#javascript:alert(1) both showed a
violation report about javascript:alert(1) being rejected.
Clicking Changes / XSS did not result in a popup.
Differences
===========
This loads the non-debug version but configured with a console reporter
so should minimize code size and speed overhead.
This loads via gr-app so the input is automatically vulcanized.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -56,6 +56,11 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ { // HACK DO NOT SUBMIT
+ url: (location.hash && location.hash.replace(/^#/, ''))
+ || '/echoes_hash',
+ name: 'XSS',
+ },
],
}];
--- a/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
+++ b/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
@@ -93,6 +93,7 @@
},
_computeRelativeURL(path) {
+if (path && /^\w+\:/.test(path)) { return path; } // HACK DO NOT SUBMIT
const host = window.location.host;
return this._computeURLHelper(host, path);
},
Change-Id: I38bfa124abd4fb35972833f29fc1664ec2404e34
This is a partial roll-forward of c/106190.
It adds a dependency on the latest version of polymer-resin.
Later CLs will actually use this dependency.
Change-Id: I3cf5f9c823d74da58a8b1326153a672959fa3f13
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.mdhttps://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
The 'seed' packages are the ones whose versions are set by us in
WORKSPACE. We should not set the versions for the rest of the packages
in the bower input JSON, so bower can suggest the right versions to
use.
Change-Id: I9b75f16655d049e2064726862980a339c91dd534
Instead, use a hard-coded map of licenses.
Hardcode a false dependency on diff-match-patch to avoid a diff for
the Apache2.0 license.
Tested:
bazel build Documentation:js_licenses.txt
buck build Documentation:js_licenses.txt
diff -u buck-out/gen/Documentation/js_licenses.txt/js_licenses.txt \
bazel-genfiles/Documentation/js_licenses.txt
diff shows only diffs for added [[header]] anchors.
Change-Id: I7886e1fadec900cf854a1b3b7c538b83d66af7a4
Reformat the Bazel build files with the buildifier tool [1].
The style is different for Bazel files. Most notably, indentation level
is 4 spaces instead of 2, and " is used instead of '.
[1] https://github.com/bazelbuild/buildifier
Change-Id: I95c0c6f11b6d76572797853b4ebb5cee5ebd3c98
Introduces the gr-syntax-layer element. This element works as an
annotation layer that is configured with the diff and asynchronously
computes/applies syntax for the diff.
Introduces a custom build of Highlight.js which gr-syntax-layer makes
use of. Building the script is documented in
scripts/vendor/highlight/building.md.
The layer is connected to the annotation pipeline in gr-diff-builder as
the lowest layer and syntax processing is triggered only after a diff
has been completely rendered.
A number of styles are added to the gr-diff element for syntax markers.
Tests added for gr-syntax-layer.
Bug: Issue 3916
Change-Id: Ic33e40f4fe39dfce1a62de133cfaf32be5e3f25a
- include 'web-component-tester' bower dependency as test-dependency
- remove special handling for serving folder 'bower_components'
- add support for passing parameters from 'run-server.sh' to 'server.go'
Change-Id: Ia74b3013e07b6304a4df568b081254909749efc5
Additionally fix a bug in bower2buck.py where it would
bail when a license is not specified in a Bower package
info response.
[1] http://caniuse.com/#feat=fetch
[2] http://github.github.io/fetch/
Change-Id: Ibf754aab98bab6e34b7a9fb5d6c9801bb612f5d5
+ Also update iron-test-helpers to 1.1.5 to be able to use
modifiers in fake key events.
Bug: Issue 3925
Change-Id: I41ce2efe0b5df63a2a637e0942a97e9dafc432f9
