Dan Brown [Sat, 23 Oct 2021 21:03:03 +0000 (22:03 +0100)]
Tweaked sidepart list item padding, Review of #3000
- Scoped padding change to just entity-list-items within the sidebar
side reduction of right-hand-padding to zero was causing other
entity-list-items, such as those in the homepage listing, would then
have no padding.
- Updated styles to use css logical properties to retain support for RTL
languages such as Arabic, where the whole interface flips around.
Related: https://css-tricks.com/css-logical-properties-and-values/
Dan Brown [Sat, 23 Oct 2021 16:26:01 +0000 (17:26 +0100)]
Reviewed SAML SLS changes for ADFS, #2902
- Migrated env usages to config.
- Removed potentially unneeded config options or auto-set signed options
based upon provision of certificate.
- Aligned SP certificate env option naming with similar IDP option.
Tested via AFDS on windows server 2019. To test on other providers.
Dan Brown [Wed, 20 Oct 2021 12:30:45 +0000 (13:30 +0100)]
Updated SAML ACS post to retain user session
Session was being lost due to the callback POST request cookies
not being provided due to samesite=lax. This instead adds an additional
hop in the flow to route the request via a GET request so the session is
retained. SAML POST data is stored encrypted in cache via a unique ID
then pulled out straight afterwards, and restored into POST for the SAML
toolkit to validate.
Dan Brown [Thu, 14 Oct 2021 14:33:08 +0000 (15:33 +0100)]
Added custom whoops-based debug view
Provides a simple bookstack focused view that does not rely on JavaScript.
Contains links to BookStack specific resources in addition to commonly
desired debug details.
Dan Brown [Fri, 8 Oct 2021 20:47:59 +0000 (21:47 +0100)]
Added testing to cover work done in last commit
Relevant to comments in 7224fbcc89f00f2b71644e36bb1b1d96addd1d5a.
Added test cases. Ensured they failed pre-commit.
Also tested a range of the altered endpoints manually on both local and
s3-like filesystems.
Dan Brown [Fri, 8 Oct 2021 16:47:14 +0000 (17:47 +0100)]
Added protections against path traversal in file system operations
- Files within the storage/ path could be accessed via path traversal
references in content, accessed upon HTML export.
- This addresses this via two layers:
- Scoped local flysystem filesystems down to the specific image &
file folders since flysystem has built-in checking against the
escaping of the root folder.
- Added path normalization before enforcement of uploads/{images,file}
prefix to prevent traversal at a path level.
Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
Dan Brown [Fri, 8 Oct 2021 14:22:09 +0000 (15:22 +0100)]
Forced response cache revalidation on logged-in responses
- Prevents authenticated responses being visible when back button
pressed in browser.
- Previously, 'no-cache, private' was added by default by Symfony which
would have prevents proxy cache issues but this adds no-store and a
max-age option to also invalidate all caching.
Thanks to @haxatron via huntr.dev
Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/
Dan Brown [Wed, 6 Oct 2021 22:05:26 +0000 (23:05 +0100)]
Continued review of #2169
- Removed uneeded custom refresh or logout actions for OIDC.
- Restructured how the services and guards are setup for external auth
systems. SAML2 and OIDC now directly share a lot more logic.
- Renamed any OpenId references to OIDC or OpenIdConnect
- Removed non-required CSRF excemption for OIDC
Not tested, Come to roadblock due to lack of PHP8 support in upstream
dependancies. Certificate was deemed to be non-valid on every test
attempt due to changes in PHP8.
Dan Brown [Wed, 6 Oct 2021 16:12:01 +0000 (17:12 +0100)]
Started refactor for merge of OIDC
- Made oidc config more generic to not be overly reliant on the library
based upon learnings from saml2 auth.
- Removed any settings that are redundant or not deemed required for
initial implementation.
- Reduced some methods down where not needed.
- Renamed OpenID to OIDC
- Updated .env.example.complete to align with all options and their
defaults
Dan Brown [Mon, 4 Oct 2021 19:26:55 +0000 (20:26 +0100)]
Reviewed and refactored additional editor draft save warnings
- Added testing to cover warning cases.
- Refactored logic to be simpler and move much of the business out of
the controller.
- Added new message that's more suitable to the case this was handling.
- For detecting an outdated draft, checked the draft created_at time
instead of updated_at to better fit the scenario being checked.
- Updated some method types to align with those potentially being used
in the logic of the code.
- Added a cache of shown messages on the front-end to prevent them
re-showing on every save during the session, even if dismissed.
Dan Brown [Wed, 29 Sep 2021 17:41:11 +0000 (18:41 +0100)]
Reviewed addition to db table prefix
Review of #2935
- Removed from .env files and added warnings for use if found in config
file.
- Updated permission service to use whereColumn queries to auto-handle
use of prefixes.
Dan Brown [Sun, 26 Sep 2021 16:18:12 +0000 (17:18 +0100)]
Reviewed adding IP recording to activity & audit log
Review of #2936
- Added testing to cover
- Added APP_PROXIES to .env.example.complete with details.
- Renamed migration to better align the name and to set the migration
date to fit with production deploy order.
- Removed index from IP column in migration since an index does not yet
provide any value.
- Updated table header text label.
- Prevented IP recording when in demo mode.
Dan Brown [Mon, 13 Sep 2021 21:54:21 +0000 (22:54 +0100)]
Removed browserkit from a couple of classess
Done a little reorganisation while there of misplaced tests.
Moved MarkdownTest to a new PageEditorTest to avoid confusion with
other markdown elements and to align with other page tests.
Dan Brown [Sun, 5 Sep 2021 22:52:39 +0000 (23:52 +0100)]
Fixed issue with HTML tags in custom head scripts
Fixes a strange issue of HTML tags within script tags being malformed
when part of the HTML custom head content due to the PHP parsing we do.
DOMDocument seemed to cause this upon load.
Adding LIBXML_SCHEMA_CREATE to the ->loadHTML call seems to fix this but
not really sure why. Doesn't seem to cause further issues though.
Tested with multiple scripts and styles and comments and meta tags.
- Also added new testing class to cover.
- As part of testing, added new folder within tests to house setting
specific tests.
projects / bookstack / log