Merge pull request #1255 from dradis/release-4.12.0

[main] Release 4.12.0
dradis · May 8, 2024 · 4970ec2 · 4970ec2
2 parents 5635353 + d98ee8b
commit 4970ec2
Show file tree

Hide file tree

Showing 86 changed files with 775 additions and 541 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,36 @@
+
+# Ignore git directory.
+/.git
+
+# Ignore bundle config.
+/.bundle
+
+# Ignore environment and deployment files.
+/.env*
+/.kamal/*
+/config/deploy.yml
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles.
+/tmp/pids/*
+!/tmp/pids/.keep
+
+# Ignore storage.
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/.keep
+
+# Ignore assets.
+/public/assets
+
+# Ignore applicaiton folders
+/attachments/
+/config/shared/*
+/db/*.sqlite3
+/templates/*
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Security audit dependencies
         run: bundle exec bundler-audit --update --ignore CVE-2023-31606 CVE-2023-50724 CVE-2023-50725 CVE-2023-50727
       - name: Security audit ruby
-        run: bundle exec ruby-audit update && bundle exec ruby-audit check --ignore CVE-2021-33621
+        run: bundle exec ruby-audit update && bundle exec ruby-audit check --ignore CVE-2021-33621 CVE-2024-27282
       - name: Security audit application code
         run: bundle exec brakeman -q -w2
   rubocop:
@@ -48,7 +48,7 @@ jobs:
       RAILS_ENV: test
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Create database.yml
         run: cp config/database.yml.template config/database.yml
       - name: Install Ruby and gems

diff --git a/.gitignore b/.gitignore
@@ -24,6 +24,11 @@
 # RSpec testing
 /spec/.examples.txt
 
+# Ignore environment and deployment files
+/.env*
+/.kamal/*
+/config/deploy.yml
+
 # App-specific
 /attachments/
 /backup/

diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,16 @@
+v4.12.0 (May 2024)
+  - Attachments: Add size, created_at, and download link to the API
+  - Mappings: Map fields from scanner integrations to Dradis fields
+  - Upgraded gems:
+    - nokogiri, rails
+  - Bugs fixes:
+    - Projects: Fix redirection when updating an issue or content block
+    - Sidebar: Prevent version number from overlapping listed records
+  - New integrations:
+    - Pentera
+  - Security Fixes:
+    - High: Authenticated author path traversal on attachment rename
+
 v4.11.0 (January 2024)
   - Assets: Add importmap-rails to handle js libraries
   - Liquid: Add LiquidAssignsService

diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,39 @@
+# We're sticking to non-slim version: https://hub.docker.com/_/ruby/
+FROM --platform=amd64 ruby:3.1.2
+
+WORKDIR /app
+
+# Copying dradis-ce app
+COPY . .
+
+# Copying sample files
+COPY config/database.yml.template config/database.yml
+COPY config/smtp.yml.template config/smtp.yml
+
+# Preparing application folders
+RUN mkdir -p attachments/
+RUN mkdir -p config/shared/
+RUN mkdir -p templates/
+
+# Is this only needed because M1 build?
+RUN bundle config build.ffi --enable-libffi-alloc
+
+# Installing dependencies
+RUN bundle install
+
+# Run and own only the runtime files as a non-root user for security
+RUN useradd rails --create-home --shell /bin/bash && \
+    chown -R rails:rails attachments config/shared db log tmp templates
+USER rails:rails
+
+# Preparing database
+RUN bin/rails db:prepare
+#RUN bin/rails db:seed
+
+# Entrypoint prepares the database.
+# ENTRYPOINT ["/app/bin/docker-entrypoint"]
+
+# Start the server by default, this can be overwritten at runtime
+EXPOSE 3000
+# CMD ["./bin/rails", "server"]
+CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]
diff --git a/Gemfile b/Gemfile
@@ -37,7 +37,6 @@ gem 'bootsnap', '>= 1.12.0', require: false
 # ---------------------------------------------------- Dradis Community Edition
 gem 'bootstrap', '~> 5.2.3'
 gem 'jquery-rails'
-gem 'jquery-ui-rails'
 gem 'jquery-fileupload-rails', '~> 0.3.4'
 gem 'jquery-hotkeys-rails'
 
@@ -87,7 +86,7 @@ gem 'bcrypt', '3.1.12'
 gem 'json', '2.3.0'
 
 # XML manipulation
-gem 'nokogiri', '>= 1.14.3'
+gem 'nokogiri', '>= 1.16.2'
 
 # MySQL backend
 # gem 'mysql2', '~> 0.5.1'
@@ -191,7 +190,7 @@ group :test do
   gem 'factory_bot_rails'
   gem 'capybara', '~> 3.39'
   gem 'guard-rspec', require: false
-  gem 'selenium-webdriver', '~> 4.11'
+  gem 'selenium-webdriver', '~> 4.17'
   gem 'shoulda-matchers', '~> 3.1'
   gem 'timecop'
 
@@ -214,12 +213,12 @@ end
 #
 
 # Base framework classes required by other plugins
-gem 'dradis-plugins', '~> 4.11.0'
+gem 'dradis-plugins', '~> 4.12.0'
 
 gem 'dradis-api', path: 'engines/dradis-api'
 
 # Import / export project data
-gem 'dradis-projects', '~> 4.11.0'
+gem 'dradis-projects', '~> 4.12.0'
 
 plugins_file = 'Gemfile.plugins'
 if File.exists?(plugins_file)
@@ -231,32 +230,32 @@ end
 
 # ----------------------------------------------------------------- Calculators
 
-gem 'dradis-calculator_cvss', '~> 4.11.0'
-gem 'dradis-calculator_dread', '~> 4.11.0'
+gem 'dradis-calculator_cvss', '~> 4.12.0'
+gem 'dradis-calculator_dread', '~> 4.12.0'
 
 # ---------------------------------------------------------------------- Export
-gem 'dradis-csv_export', '~> 4.11.0'
-gem 'dradis-html_export', '~> 4.11.0'
+gem 'dradis-csv_export', '~> 4.12.0'
+gem 'dradis-html_export', '~> 4.12.0'
 
 # ---------------------------------------------------------------------- Import
-gem 'dradis-csv', '~> 4.11.0'
+gem 'dradis-csv', '~> 4.12.0'
 
 # ---------------------------------------------------------------------- Upload
-gem 'dradis-acunetix', '~> 4.11.0'
-gem 'dradis-brakeman', '~> 4.11.0'
-gem 'dradis-burp', '~> 4.11.0'
-gem 'dradis-coreimpact', '~> 4.11.0'
-gem 'dradis-metasploit', '~> 4.11.0'
-gem 'dradis-nessus', '~> 4.11.0'
-gem 'dradis-netsparker', '~> 4.11.0'
-gem 'dradis-nexpose', '~> 4.11.0'
-gem 'dradis-nikto', '~> 4.11.0'
-gem 'dradis-nipper', '~> 4.11.0'
-gem 'dradis-nmap', '~> 4.11.0'
-gem 'dradis-ntospider', '~> 4.11.0'
-gem 'dradis-openvas', '~> 4.11.0'
-gem 'dradis-qualys', '~> 4.11.0'
-gem 'dradis-saint', '~> 4.11.0'
-gem 'dradis-veracode', '~> 4.11.0'
-gem 'dradis-wpscan', '~> 4.11.0'
-gem 'dradis-zap', '~> 4.11.0'
+gem 'dradis-acunetix', '~> 4.12.0'
+gem 'dradis-brakeman', '~> 4.12.0'
+gem 'dradis-burp', '~> 4.12.0'
+gem 'dradis-coreimpact', '~> 4.12.0'
+gem 'dradis-metasploit', '~> 4.12.0'
+gem 'dradis-nessus', '~> 4.12.0'
+gem 'dradis-netsparker', '~> 4.12.0'
+gem 'dradis-nexpose', '~> 4.12.0'
+gem 'dradis-nikto', '~> 4.12.0'
+gem 'dradis-nipper', '~> 4.12.0'
+gem 'dradis-nmap', '~> 4.12.0'
+gem 'dradis-ntospider', '~> 4.12.0'
+gem 'dradis-openvas', '~> 4.12.0'
+gem 'dradis-qualys', '~> 4.12.0'
+gem 'dradis-saint', '~> 4.12.0'
+gem 'dradis-veracode', '~> 4.12.0'
+gem 'dradis-wpscan', '~> 4.12.0'
+gem 'dradis-zap', '~> 4.12.0'