Merge remote-tracking branch 'origin/release/2.8.0' into fix/#2985_Pr…

…event_XSS_for_REST_API_by_escape_String_content2
SCADA-LTS · Oct 3, 2024 · 7b006ea · 7b006ea
2 parents 23d8121 + 684a394
commit 7b006ea
Show file tree

Hide file tree

Showing 176 changed files with 5,110 additions and 1,469 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -38,7 +38,7 @@ jobs:
           check_name: Java JUnit Test Results
           files: ./build/test-results/**/*.xml
       - name: Publish JUnit Test Results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: junit-java-test-results
           path: ./build/test-reports/
@@ -81,7 +81,7 @@ jobs:
           check_name: Java Script Mocha Unit Test Results
           files: ./scadalts-ui/test-results.xml
       - name: Publish Mocha Test Results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: mocha-js-test-results
           path: ./scadalts-ui/test-results.xml
@@ -166,7 +166,7 @@ jobs:
           key: ${{ runner.os }}-war-${{ github.run_id }}
           path: ./build/libs/Scada-LTS.war
       - name: Deploy WAR artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: Scada-LTS
           path: ./build/libs/Scada-LTS.war

diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
@@ -151,7 +151,7 @@ jobs:
           key: ${{ runner.os }}-war-${{ github.run_id }}
           path: ./build/libs/Scada-LTS.war
       - name: Deploy WAR artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: Scada-LTS
           path: ./build/libs/Scada-LTS.war

diff --git a/WebContent/WEB-INF/jsp/include/highlight.jsp b/WebContent/WEB-INF/jsp/include/highlight.jsp
@@ -15,9 +15,6 @@ function updateCodeText(text, destination) {
 
 function updateCodeTextEscaped(text, destination) {
     let result_element = document.querySelector(destination);
-    if(text[text.length-1] == "\n") {
-      text += " ";
-    }
     result_element.innerHTML = text;
     hljs.highlightElement(result_element);
 }

diff --git a/WebContent/WEB-INF/jsp/scripting.jsp b/WebContent/WEB-INF/jsp/scripting.jsp
@@ -43,7 +43,7 @@
     	var xid = jQuery("#xid");
     	// saveScript() nie zdarzy zapisac !!!
     	jQuery.ajax({
-    		url: myLocation+"/script/execute/"+xid[0].value,
+    		url: myLocation+"script/execute/"+xid[0].value,
     		type:"POST",
     		success: function(){
               setUserMessage("<spring:message code="script.execute.success"/> ")

diff --git a/WebContent/WEB-INF/jsp/systemSettings.jsp b/WebContent/WEB-INF/jsp/systemSettings.jsp
@@ -33,7 +33,7 @@
   <script type="text/javascript">
     var systemEventAlarmLevels = new Array();
     var auditEventAlarmLevels = new Array();
-    
+
     function init() {
         SystemSettingsDwr.getSettings(function(settings) {
             $set("<c:out value="<%= SystemSettingsDAO.EMAIL_SMTP_HOST %>"/>", settings.<c:out value="<%= SystemSettingsDAO.EMAIL_SMTP_HOST %>"/>);
@@ -482,7 +482,7 @@
         jQuery.ajax({
             type: 'GET',
             dataType: 'text',
-            url:myLocation+"/api/resources/imagesRefresh",
+            url:myLocation+"api/resources/imagesRefresh",
             success: function(msg){
                 alert("Success: the resource images has been refreshed");
             },
@@ -507,11 +507,6 @@
       dialog.style.display = 'none';
     }
 
-    function saveCssSettings() {
-      hideCssDialog();
-      saveCustomCssConfig();
-    }
-
     function initCustomCssData() {
       fetchCustomCssConfig().then((val) => {
         let res = JSON.parse(val);
@@ -542,18 +537,31 @@
       return new Promise((resolve, reject) => {
         let req = new XMLHttpRequest();
         req.open('POST', customCssUrl, true);
-        req.setRequestHeader('Content-type', 'application/text');
+        req.setRequestHeader('Content-Type', 'application/json;charset=UTF-8');
+        setUserMessage("customCssMessage");
         req.onload = () => {
           if (req.status === 200) {
             resolve(req.responseText);
+            setUserMessage("customCssMessage", "<spring:message code="systemSettings.customCssSaved"/>");
+          } else if (req.status === 400) {
+            let errors = JSON.parse(req.responseText);
+            if(errors.length > 0) {
+              setUserMessage("customCssMessage", "<spring:message code="systemSettings.invalidCustomCss"/>");
+            }
+            reject(errors);
           } else {
             reject(req.status);
           }
         };
         req.onerror = () => {
           reject(req.status);
         }
-        req.send(document.getElementById('cssEditor').value);
+        let cssContent = document.getElementById('cssEditor').value;
+        let cssStyle = {
+            content: cssContent
+        };
+        let body = JSON.stringify(cssStyle);
+        req.send(body);
       });
     }
 
@@ -565,6 +573,19 @@
         $set("<c:out value="<%= SystemSettingsDAO.UI_PERFORMANCE %>"/>", uiPerformance);
     }
 
+    document.addEventListener('DOMContentLoaded', () => {
+      const cssEditor = document.getElementById('cssEditor');
+      const cssHighlighting = document.getElementById('cssHighlighting');
+      if (cssEditor && cssHighlighting) {
+        cssEditor.addEventListener('input', () => {
+          updateCodeText(cssEditor.value, '#cssHighlightingContent');
+        });
+        cssEditor.addEventListener('scroll', () => {
+          syncCodeScroll(cssEditor, '#cssHighlighting');
+        });
+      }
+    });
+
   </script>
 
   <div class="borderDivPadded marB marR" style="float:left">
@@ -1130,7 +1151,7 @@
               id="cssEditor"
               class="hgl-editor"
               spellcheck="false"
-              oninput="updateCodeTextEscaped(this.value, '#cssHighlightingContent');"
+              oninput="updateCodeText(this.value, '#cssHighlightingContent');"
               onscroll="syncCodeScroll(this, '#cssHighlightingContent');">
             </textarea>
             <pre id="cssHighlighting" class="hgl-highlighting" aria-hidden="true">
@@ -1142,13 +1163,18 @@
           <table>
             <tr>
               <td>
-                <button onclick="hideCssDialog()"><spring:message code="common.cancel"/></button>
+                <button onclick="hideCssDialog()"><spring:message code="common.close"/></button>
               </td>
               <td>
-                <button onclick="saveCssSettings()"><spring:message code="common.save"/></button>
+                <button onclick="saveCustomCssConfig()"><spring:message code="common.save"/></button>
               </td>
             </tr>
           </table>
+          <table>
+            <tr>
+              <td colspan="2" id="customCssMessage" class="formError"></td>
+            </tr>
+          </table>
           </div>
         </div>
       </div>

diff --git a/WebContent/WEB-INF/lib/classmate-1.3.4.jar b/WebContent/WEB-INF/lib/classmate-1.3.4.jar
diff --git a/WebContent/WEB-INF/lib/cssparser-0.9.30.jar b/WebContent/WEB-INF/lib/cssparser-0.9.30.jar
diff --git a/WebContent/WEB-INF/lib/hibernate-validator-6.0.23.Final.jar b/WebContent/WEB-INF/lib/hibernate-validator-6.0.23.Final.jar
diff --git a/WebContent/WEB-INF/lib/jboss-logging-3.3.2.Final.jar b/WebContent/WEB-INF/lib/jboss-logging-3.3.2.Final.jar
diff --git a/WebContent/WEB-INF/lib/sac-1.3.jar b/WebContent/WEB-INF/lib/sac-1.3.jar
diff --git a/WebContent/WEB-INF/lib/validation-api-2.0.1.Final.jar b/WebContent/WEB-INF/lib/validation-api-2.0.1.Final.jar
diff --git a/WebContent/WEB-INF/snippet/warningContent.jsp b/WebContent/WEB-INF/snippet/warningContent.jsp
@@ -37,7 +37,7 @@
         <td><tag:img png="exclamation" title="common.valueUnreliable"/></td>
         <td style="white-space:nowrap;" colspan="3">
           <spring:message code="common.valueUnreliable"/>
-          <tag:img png="arrow_refresh" title="common.refresh" onclick="WatchListDwr.forcePointRead(${point.id})" style="display:inline"/>
+          <tag:img png="arrow_refresh" title="common.refresh" onclick="MiscDwr.forcePointRead(${point.id})" style="display:inline"/>
         </td>
       </tr>
     </c:if>

diff --git a/WebContent/WEB-INF/snippet/warningIcon.jsp b/WebContent/WEB-INF/snippet/warningIcon.jsp
@@ -0,0 +1,9 @@
+<%@ include file="/WEB-INF/snippet/common.jsp" %>
+<c:choose>
+    <c:when test="${!empty invalid || !empty disabled || pointRT.attributes.UNRELIABLE || pointRT.attributes.DP_UPDATE_ERROR}">
+      <tag:img png="exclamation" title="common.valueUnreliable"/>
+    </c:when>
+    <c:otherwise>
+      <tag:img png="warn" title="common.warning"/>
+    </c:otherwise>
+</c:choose>
diff --git a/WebContent/WEB-INF/snippet/watchListMessages.jsp b/WebContent/WEB-INF/snippet/watchListMessages.jsp
@@ -25,7 +25,7 @@
 </c:if>
 <c:if test="${pointRT.attributes.UNRELIABLE || pointRT.attributes.DP_UPDATE_ERROR}">
   <tag:img png="exclamation" title="common.valueUnreliable"/> <spring:message code="common.valueUnreliable"/>
-  <tag:img png="arrow_refresh" title="common.refresh" onclick="WatchListDwr.forcePointRead(${point.id})"/><br/>
+  <tag:img png="arrow_refresh" title="common.refresh" onclick="MiscDwr.forcePointRead(${point.id})"/><br/>
 </c:if>
 <c:forEach items="${events}" var="event">
 	<c:if test="${event.alarmLevel>0}">

diff --git a/WebContent/WEB-INF/tags/alarmAck.tag b/WebContent/WEB-INF/tags/alarmAck.tag
@@ -43,6 +43,10 @@
           <c:when test="${event.eventType.eventSourceId == applicationScope['constants.EventType.EventSources.DATA_SOURCE']}">
             <a href="data_source_edit.shtm?dsid=${event.eventType.dataSourceId}"><tag:img png="icon_ds_edit" title="events.editDataSource"/></a>
           </c:when>
+          <c:when test="${event.eventType.eventSourceId == applicationScope['constants.EventType.EventSources.DATA_SOURCE_POINT']}">
+            <a href="data_source_edit.shtm?dsid=${event.eventType.dataSourceId}&pid=${event.eventType.dataPointId}"><tag:img png="icon_ds_edit" title="events.editDataSource"/></a>
+            <a href="data_point_details.shtm?dpid=${event.eventType.dataPointId}"><tag:img png="icon_comp" title="events.pointDetails"/></a>
+          </c:when>
           <c:when test="${event.eventType.eventSourceId == applicationScope['constants.EventType.EventSources.SYSTEM']}">
             <c:choose>
               <c:when test="${event.eventType.systemEventTypeId == applicationScope['constants.SystemEventType.TYPE_VERSION_CHECK']}">

diff --git a/WebContent/WEB-INF/tags/pointComponent.tag b/WebContent/WEB-INF/tags/pointComponent.tag
@@ -58,7 +58,7 @@
       <div style="position:absolute;left:-16px;top:0px;z-index:${vc.z+1};">
         <div id="c${vc.id}Warning" style="display:none;" onmouseover="showMenu('c${vc.id}Messages', 16, 0);"
                 onmouseout="hideLayer('c${vc.id}Messages');">
-          	  <tag:img png="warn" title="common.warning"/>
+          	  <div id="c${vc.id}WarningIcon"></div>
           <div id="c${vc.id}Messages" onmouseout="hideLayer(this);" class="controlContent"></div>
         </div>
         <div id="c${vc.id}Changing" style="display:none;"><tag:img png="icon_edit" title="common.settingValue"/></div>

diff --git a/WebContent/resources/view.js b/WebContent/resources/view.js
@@ -62,6 +62,10 @@ mango.view.setMessages = function(state) {
     var warningNode = $("c"+ state.id +"Warning");
     if (warningNode && state.messages != null) {
         $set("c"+ state.id +"Messages", state.messages);
+        var warningIconNode = $("c"+ state.id +"WarningIcon");
+        if(warningIconNode) {
+            $set("c"+ state.id +"WarningIcon", state.warningIcon);
+        }
         if (state.messages)
             show(warningNode);
         else

diff --git a/build.gradle b/build.gradle
@@ -105,7 +105,13 @@ task existsScadaLTSWarFile {
     }
 }
 
-task deployTomcat(type: Copy, dependsOn: existsScadaLTSWarFile) {
+task deployTomcat(type: Copy, dependsOn: [war, existsScadaLTSWarFile]) {
+    from "build/libs/"
+    into System.getenv("CATALINA_HOME")+ "/webapps"
+    include('Scada-LTS.war')
+}
+
+task deployTomcatDev(type: Copy, dependsOn: [warDev, existsScadaLTSWarFile]) {
     from "build/libs/"
     into System.getenv("CATALINA_HOME")+ "/webapps"
     include('Scada-LTS.war')
@@ -154,15 +160,15 @@ task buildRunDebug(type: GradleBuild) {
 }
 
 task buildRunDebugDev(type: GradleBuild) {
-    tasks = ['clearTomcat', 'clearProject', 'installWebDependency', 'test', 'warDev', 'deployTomcat', 'runDebug']
+    tasks = ['clearTomcat', 'clearProject', 'installWebDependency', 'test', 'warDev', 'deployTomcatDev', 'runDebug']
 }
 
 task buildRunDebugProd(type: GradleBuild) {
     tasks = ['clearTomcat', 'clearProject', 'installWebDependency', 'test', 'war', 'deployTomcat', 'runDebug']
 }
 
 task buildRunDebugDevTestUi(type: GradleBuild) {
-    tasks = ['clearTomcat', 'clearProject', 'installWebDependency', 'test', 'testUi', 'warDev', 'deployTomcat', 'runDebug']
+    tasks = ['clearTomcat', 'clearProject', 'installWebDependency', 'test', 'testUi', 'warDev', 'deployTomcatDev', 'runDebug']
 }
 
 task buildRunDebugProdTestUi(type: GradleBuild) {
@@ -229,16 +235,22 @@ test {
         includeTestsMatching "com.serotonin.mango.vo.report.ImageChartUtilsTestsSuite"
         includeTestsMatching "org.scada_lts.serorepl.utils.StringUtilsTestsSuite"
         includeTestsMatching "org.scada_lts.monitor.ConcurrentMonitoredValuesTest"
+        includeTestsMatching "com.serotonin.mango.rt.dataSource.DataPointUnreliableUtilsTest"
+        includeTestsMatching "com.serotonin.mango.rt.dataSource.InitializeDataSourceRtTestsSuite"
         includeTestsMatching "com.serotonin.mango.util.AddLimitIfWithoutSqlDataSourceUtilsTest"
         includeTestsMatching "com.serotonin.mango.util.StartStopDataPointsUtilsTestsSuite"
         includeTestsMatching "org.scada_lts.utils.BlockingQueuesUtilsTest"
         includeTestsMatching "org.scada_lts.web.security.XssProtectHtmlEscapeUtilsTest"
-        includeTestsMatching "org.scada_lts.web.security.XssUtilsTest"
+        includeTestsMatching "org.scada_lts.web.security.XssUtilsTestsSuite"
+        includeTestsMatching "org.scada_lts.web.mvc.api.validation.css.CssValidatorTestsSuite"
+        includeTestsMatching "org.scada_lts.web.beans.validation.xss.XssValidatorTestsSuite"
     }
 
+    failFast = true
+
     testLogging {
 
-        //exceptionFormat = "full"
+        exceptionFormat = "full"
         showStandardStreams = true
 
         afterTest { desc, result ->

diff --git a/src/br/org/scadabr/api/dao/MangoDaoImpl.java b/src/br/org/scadabr/api/dao/MangoDaoImpl.java
@@ -1237,7 +1237,7 @@ public int configureDataPoint(int dataSourceId,
 		mangoPoint.setPointLocator(mangoLocator);
 		DwrResponseI18n validate = new DwrResponseI18n();
 		validate(mangoPoint, validate);
-		mangoLocator.validate(validate);
+		mangoLocator.validate(validate, point.getId());
 		if (validate.getHasMessages()) {
 			throw new ScadaBRAPIException(new APIError(
 					ErrorCode.INVALID_PARAMETER,