Merge branch 'develop' of github.com:dradis/dradis-ce into fix-overwr…

…iting-kit-upload
dradis · Jun 26, 2024 · a1a47e4 · a1a47e4
2 parents 7eef02f + bbb8543
commit a1a47e4
Show file tree

Hide file tree

Showing 101 changed files with 963 additions and 555 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,36 @@
+
+# Ignore git directory.
+/.git
+
+# Ignore bundle config.
+/.bundle
+
+# Ignore environment and deployment files.
+/.env*
+/.kamal/*
+/config/deploy.yml
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles.
+/tmp/pids/*
+!/tmp/pids/.keep
+
+# Ignore storage.
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/.keep
+
+# Ignore assets.
+/public/assets
+
+# Ignore applicaiton folders
+/attachments/
+/config/shared/*
+/db/*.sqlite3
+/templates/*
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,6 +5,7 @@ on:
     branches: ['*']
   push:
     branches: [develop, main]
+  workflow_dispatch:
 
 jobs:
   audits:
@@ -20,7 +21,7 @@ jobs:
       - name: Security audit dependencies
         run: bundle exec bundler-audit --update --ignore CVE-2023-31606 CVE-2023-50724 CVE-2023-50725 CVE-2023-50727
       - name: Security audit ruby
-        run: bundle exec ruby-audit update && bundle exec ruby-audit check --ignore CVE-2021-33621
+        run: bundle exec ruby-audit update && bundle exec ruby-audit check --ignore CVE-2021-33621 CVE-2024-27282
       - name: Security audit application code
         run: bundle exec brakeman -q -w2
   rubocop:
@@ -48,7 +49,7 @@ jobs:
       RAILS_ENV: test
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Create database.yml
         run: cp config/database.yml.template config/database.yml
       - name: Install Ruby and gems

diff --git a/.gitignore b/.gitignore
@@ -24,6 +24,11 @@
 # RSpec testing
 /spec/.examples.txt
 
+# Ignore environment and deployment files
+/.env*
+/.kamal/*
+/config/deploy.yml
+
 # App-specific
 /attachments/
 /backup/

diff --git a/CHANGELOG b/CHANGELOG
@@ -1,11 +1,10 @@
 [v#.#.#] ([month] [YYYY])
-  - [entity]:
-    - [future tense verb] [feature]
+  - Attachments: Copy attachments when moving an evidence/note
+  - Liquid: Make project-level collections available for Liquid syntax
   - Kit Import: Use file name sequencing when a template file with the same name exists
-  - Upgraded gems:
-    - [gem]
+  - Upgraded gems: nokogiri, rails, rexml
   - Bugs fixes:
-    - Tylium: Fix redirection when updating an issue or content block
+    - Navigation: Restore functionality of native browser back/forward buttons
     - Bug tracker items:
       - [item]
   - New integrations:
@@ -26,6 +25,19 @@
     - Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
     - Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
 
+v4.12.0 (May 2024)
+  - Attachments: Add size, created_at, and download link to the API
+  - Mappings: Map fields from scanner integrations to Dradis fields
+  - Upgraded gems:
+    - nokogiri, rails
+  - Bugs fixes:
+    - Projects: Fix redirection when updating an issue or content block
+    - Sidebar: Prevent version number from overlapping listed records
+  - New integrations:
+    - Pentera
+  - Security Fixes:
+    - High: Authenticated author path traversal
+
 v4.11.0 (January 2024)
   - Assets: Add importmap-rails to handle js libraries
   - Liquid: Add LiquidAssignsService

diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,39 @@
+# We're sticking to non-slim version: https://hub.docker.com/_/ruby/
+FROM --platform=amd64 ruby:3.1.2
+
+WORKDIR /app
+
+# Copying dradis-ce app
+COPY . .
+
+# Copying sample files
+COPY config/database.yml.template config/database.yml
+COPY config/smtp.yml.template config/smtp.yml
+
+# Preparing application folders
+RUN mkdir -p attachments/
+RUN mkdir -p config/shared/
+RUN mkdir -p templates/
+
+# Is this only needed because M1 build?
+RUN bundle config build.ffi --enable-libffi-alloc
+
+# Installing dependencies
+RUN bundle install
+
+# Run and own only the runtime files as a non-root user for security
+RUN useradd rails --create-home --shell /bin/bash && \
+    chown -R rails:rails attachments config/shared db log tmp templates
+USER rails:rails
+
+# Preparing database
+RUN bin/rails db:prepare
+#RUN bin/rails db:seed
+
+# Entrypoint prepares the database.
+# ENTRYPOINT ["/app/bin/docker-entrypoint"]
+
+# Start the server by default, this can be overwritten at runtime
+EXPOSE 3000
+# CMD ["./bin/rails", "server"]
+CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]
diff --git a/Gemfile b/Gemfile
@@ -5,7 +5,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 ruby '3.1.2'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.0.8'
+gem 'rails', '~> 7.0.8.4'
 
 # Use SCSS for stylesheets
 gem 'sass-rails', '~> 6.0'
@@ -37,7 +37,6 @@ gem 'bootsnap', '>= 1.12.0', require: false
 # ---------------------------------------------------- Dradis Community Edition
 gem 'bootstrap', '~> 5.2.3'
 gem 'jquery-rails'
-gem 'jquery-ui-rails'
 gem 'jquery-fileupload-rails', '~> 0.3.4'
 gem 'jquery-hotkeys-rails'
 
@@ -87,7 +86,7 @@ gem 'bcrypt', '3.1.12'
 gem 'json', '2.3.0'
 
 # XML manipulation
-gem 'nokogiri', '>= 1.14.3'
+gem 'nokogiri', '>= 1.16.2'
 
 # MySQL backend
 # gem 'mysql2', '~> 0.5.1'
@@ -191,7 +190,7 @@ group :test do
   gem 'factory_bot_rails'
   gem 'capybara', '~> 3.39'
   gem 'guard-rspec', require: false
-  gem 'selenium-webdriver', '~> 4.11'
+  gem 'selenium-webdriver', '~> 4.17'
   gem 'shoulda-matchers', '~> 3.1'
   gem 'timecop'
 
@@ -214,12 +213,12 @@ end
 #
 
 # Base framework classes required by other plugins
-gem 'dradis-plugins', '~> 4.11.0'
+gem 'dradis-plugins', '~> 4.12.1'
 
 gem 'dradis-api', path: 'engines/dradis-api'
 
 # Import / export project data
-gem 'dradis-projects', '~> 4.11.0'
+gem 'dradis-projects', '~> 4.12.0'
 
 plugins_file = 'Gemfile.plugins'
 if File.exists?(plugins_file)
@@ -231,32 +230,33 @@ end
 
 # ----------------------------------------------------------------- Calculators
 
-gem 'dradis-calculator_cvss', '~> 4.11.0'
-gem 'dradis-calculator_dread', '~> 4.11.0'
+gem 'dradis-calculator_cvss', '~> 4.12.0'
+gem 'dradis-calculator_dread', '~> 4.12.0'
 
 # ---------------------------------------------------------------------- Export
-gem 'dradis-csv_export', '~> 4.11.0'
-gem 'dradis-html_export', '~> 4.11.0'
+gem 'dradis-csv_export', '~> 4.12.0'
+gem 'dradis-html_export', '~> 4.12.0'
 
 # ---------------------------------------------------------------------- Import
-gem 'dradis-csv', '~> 4.11.0'
+gem 'dradis-csv', '~> 4.12.0'
 
 # ---------------------------------------------------------------------- Upload
-gem 'dradis-acunetix', '~> 4.11.0'
-gem 'dradis-brakeman', '~> 4.11.0'
-gem 'dradis-burp', '~> 4.11.0'
-gem 'dradis-coreimpact', '~> 4.11.0'
-gem 'dradis-metasploit', '~> 4.11.0'
-gem 'dradis-nessus', '~> 4.11.0'
-gem 'dradis-netsparker', '~> 4.11.0'
-gem 'dradis-nexpose', '~> 4.11.0'
-gem 'dradis-nikto', '~> 4.11.0'
-gem 'dradis-nipper', '~> 4.11.0'
-gem 'dradis-nmap', '~> 4.11.0'
-gem 'dradis-ntospider', '~> 4.11.0'
-gem 'dradis-openvas', '~> 4.11.0'
-gem 'dradis-qualys', '~> 4.11.0'
-gem 'dradis-saint', '~> 4.11.0'
-gem 'dradis-veracode', '~> 4.11.0'
-gem 'dradis-wpscan', '~> 4.11.0'
-gem 'dradis-zap', '~> 4.11.0'
+gem 'dradis-acunetix', '~> 4.12.0'
+gem 'dradis-brakeman', '~> 4.12.0'
+gem 'dradis-burp', '~> 4.12.0'
+gem 'dradis-coreimpact', '~> 4.12.0'
+gem 'dradis-metasploit', '~> 4.12.0'
+gem 'dradis-nessus', '~> 4.12.0'
+gem 'dradis-netsparker', '~> 4.12.0'
+gem 'dradis-nexpose', '~> 4.12.0'
+gem 'dradis-nikto', '~> 4.12.0'
+gem 'dradis-nipper', '~> 4.12.0'
+gem 'dradis-nmap', '~> 4.12.0'
+gem 'dradis-ntospider', '~> 4.12.0'
+gem 'dradis-openvas', '~> 4.12.0'
+gem 'dradis-pentera', '~> 4.12.0'
+gem 'dradis-qualys', '~> 4.12.0'
+gem 'dradis-saint', '~> 4.12.0'
+gem 'dradis-veracode', '~> 4.12.0'
+gem 'dradis-wpscan', '~> 4.12.0'
+gem 'dradis-zap', '~> 4.12.0'