Commit Graph

168 Commits

Author SHA1 Message Date
Alex Vandiver db934be064 CVE-2021-41115: Use re2 for user-supplied linkifier patterns.
Zulip attempts to validate that the regular expressions that admins
enter for linkifiers are well-formatted, and only contain a specific
subset of regex grammar.  The process of checking these
properties (via a regex!) can cause denial-of-service via
backtracking.

Furthermore, this validation itself does not prevent the creation of
linkifiers which themselves cause denial-of-service when they are
executed.  As the validator accepts literally anything inside of a
`(?P<word>...)` block, any quadratic backtracking expression can be
hidden therein.

Switch user-provided linkifier patterns to be matched in the Markdown
processor by the `re2` library, which is guaranteed constant-time.
This somewhat limits the possible features of the regular
expression (notably, look-head and -behind, and back-references);
however, these features had never been advertised as working in the
context of linkifiers.

A migration removes any existing linkifiers which would not function
under re2, after printing them for posterity during the upgrade; they
are unlikely to be common, and are impossible to fix automatically.

The denial-of-service in the linkifier validator was discovered by
@erik-krogh and @yoff, as GHSL-2021-118.
2021-10-04 21:26:24 +00:00
Dinesh 206168ed28 puppeteer: Remove waitFors on deletion spinners.
Also added a waitFor for the modal to disappear and removed
waitFor for the spinner to hide which would obviously be hidden
with modal and it also doesn't add much value.
2021-10-03 18:47:42 -07:00
Ganesh Pawar fa928d5cd1 streams: Split setting for stream creation policy.
Users wanted a feature where they could specify
which users can create public streams and which users can
create private streams.

This splits stream creation code into two parts,
public and private stream creation.

Fixes #17009.
2021-10-01 10:26:42 -07:00
Ganesh Pawar 66bd282d12 puppeteer_tests: Use loop when testing changing policies for streams.
Previously, this logic copied code to test each individual case.
2021-09-30 16:13:51 -07:00
Anders Kaseorg abee9258c6 js: Fix @typescript-eslint/restrict-template-expressions.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-09-22 18:06:06 -07:00
Anders Kaseorg f7a7cfea62 js: Fix @typescript-eslint/restrict-plus-operands.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-09-22 18:06:06 -07:00
Anders Kaseorg ba610440ab js: Fix @typescript-eslint/no-floating-promises.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-09-22 18:06:06 -07:00
Sahil Batra ed71b3211a puppeteer: Specify container for notification settings tests.
We will add realm-level defaults of notification settings in
further commits which will result in two elements with same
class. So, this commit specifies container element id along
with the class of setting element to make sure that we wait
for the correct element.
2021-09-16 15:46:41 -07:00
Dinesh 22f47d3c20 puppeteer: remove test_not_delete_draft_on_sending().
This test was `assert`ing the draft is not getting cleared
as soon as sending, which is desired behaviour to some extent
because we don't want to delete it until we receive a confirmation
from the server, but given the right amount of delay (or very
low network latency), the draft will be cleared. This inconsistency
was causing failures.

We could better test this with a node test. A node test was
already added in #18827.
2021-09-10 10:25:48 -07:00
Signior-X 459ce92109 compose: Make the route of message sending through drafts.
Before this commit, the message or any draft is deleted as soon
as the compose box is closed. So, it removes that by removing
delete_active_drafts and instead this commit will add the deletion
process of drafts in reify_message_id that is called when a
message is successfully sent and received.

Now, see there are two types of messages, one that are locally
echoed and the second ones are that aren't locally echoed but
sent directly to server. This commit only saves the message in
draft if it is locally echoed as they are the only messages
that show message failed in message list. The non locally echoed
ones aren't remove from the compose box until they are
successfully sent. Now as the draft-id is stored in the message
data for locally echoed messages, as they are echoed from the
server, they are deleted using that draft-id.

This also adds node tests for echo reify_message_id for testing
this feature that this commit is adding.

Fixes #17697
2021-09-07 14:36:05 -07:00
Sahil Batra fef825d56f settings: Rename class of notification settings elements.
We rename class of notification settings except checkboxes
by prefixing them with 'setting_' for clarity.

We do not change class of checkboxes because settings_checkbox
is used by other templates also and if we only change class
of those using notification_settings_checkboxes then live
update code will break and will need to add separate condition
for differentiating between which partial template is used.
2021-08-20 07:51:23 -07:00
Sahil Batra d05730a199 settings: Rename classes for display settings elements.
We rename the class of display setting elements by prefixing
them with 'setting_' for clarity.
2021-08-20 07:51:11 -07:00
Sahil Batra 032d347b4f settings: Refactor frontend code for notification settings.
This is a prep commit for adding UI for realm-level default
of user settings. We refactor the code to use  classes
instead of ids such that we can use the common code for the
new settings.
2021-08-20 07:50:51 -07:00
Sahil Batra c5cc4fb114 settings: Refactor default-language modal code.
We add a prefix to id of default_language_modal.hbs
such that we can use the same code for user settings
and realm-level settings.
We also add a class "default_language_modal" to the
modal div to avoid duplicate css.
2021-08-20 07:50:51 -07:00
Sahil Batra 3adf5e6383 settings: Refactor frontend code for display settings.
This is a prep commit for adding UI for realm-level
default of user settings. We refactor the code to use
classes instead of ids such that we can use the common
code for the new settings.
2021-08-20 07:40:20 -07:00
Riken Shah 4d3b10d84d puppeteer: Fix the element becoming stale.
As the right sidebar re-renders many times, often the
element puppeteer selected becomes stale, to avoid this
issue we are using javascript to click on the element.

This commit also ensures that the set user status modal
is completely open before we start clicking.
2021-07-30 09:19:56 -07:00
Riken Shah 6eb88eb3ef puppeteer: Use a better approach to open user popover.
This commit improves the approach to click on the menu
icon on the right sidebar. It'd first hover on the list
instead of the menu to avoid the occasional "HTML node
not present" error. As menu icon our only visible when
we hover over the item.
2021-07-28 12:07:48 -07:00
Riken Shah 4eeb6be787 user_status: Add default emoji for common statuses.
Co-authored-by: Yash Rathore <33805964+YashRE42@users.noreply.github.com>
2021-07-28 10:02:51 -07:00
PIG208 60e3429da3 bots: Remove the need to debounce for dispatching bot events.
We rely on calling eventually_render_bots from the event handling
code path for bot events to both updating the list and switching
the tab.

Now we decouple the logic and make render_bots take care of
rendering the list of bots only and switch the tab upon calling
the success handler of creating the bot.

Fixes: zulip#17743
2021-07-23 11:26:42 -07:00
sahil839 e0ab9e52b5 settings: Use dialog_widget for edit-linkifier modal.
This commit changes the edit-linkifier modal to use
dialog_widget instead of edit_fields_modal.
The edit_fields_modal module will be removed in
further commits to avoid code duplication.
2021-07-14 13:02:26 -07:00
sahil839 c87c4f92ee confirm_dialog: Rename variables and classes used in templates.
This commit renames the variables, functions used in confirm_dialog.js
and classes and ids used in confirm_dialog.hbs.

This change is made so that we can easily migrate edit_fields_modal to
use this same code with some more changes.

We will change the file names and correspondingly import variables in
the next commit.
2021-07-14 12:21:24 -07:00
Vishnu KS 4ad592ed4f populate_db: Use do_create_realm for creating zulip realm.
Since do_create_realm also creates general and core team streams,
we rename general to verona right after the realm is created. Mostly
because we dont really want two additional streams and this might
probably make it easy to review things.

There are puppeteer test changes because, we have a new "core team"
stream in tests as well as there is a new default notification stream
"Verona". Because of this tests in message-basics for example have
to be changed since the newly added core team affects the order in
which we navigate through the streams using arrow keys.

The extra await for selector was added in subscriptions test to make
the tests wait. Without the await the tests were passing ocassionally
and failing in some other times.

Fixes #6967
2021-07-06 17:37:43 -07:00
sahil839 8fe401c38c confirm_dialog: Rename confirm_dialog_yes_button class.
This commit renames confirm_dialog_yes_button class to
confirm_dialog_submit_button. This will help in keeping
a general class name when deduplicating the code for
confirm_dialog and edit_fields_modal.
2021-07-06 15:15:50 -07:00
m-e-l-u-h-a-n 9cb8e1b286 streams: Eliminate content-editable to change stream info.
The current system to change stream information like Stream name and
description isn't consistent with what we use everywhere else. It's
also slightly difficult to maintain.

Co-authored-by: Pragati Agrawal <pragati22066@gmail.com>
2021-07-05 14:35:15 -07:00
sahil839 bb816e1998 settings: Separate "Your account" section in two different sections.
We separate "Your account" section to two different sections -
"Profile" section for user name, custom profile fields, and avatar
and "Account & Security" section for email, password, role, api-key
and deactivating button.

Another important change here is that the modal for changing name
is removed and now the name has a simple input text box and it
behaves similar to inputs for custom-profile-fields.

Fixes #18848.
2021-06-30 16:56:03 -07:00
Tim Abbott a8ac48082f puppeteer: Fix reference to #edit-linkifier-status.
This fixes a CI failure, likely introduced when rebasing
b04647f219.
2021-06-24 17:35:25 -07:00
sahil839 b04647f219 settings: Use edit_fields_modal framework for linkifier-edit modal.
This commit modifies the linkifier-edit modal to use newly added
edit_fields_modal framework.

One important change is that we remove the "edit-linkifier-status"
element as the corresponding "edit-fields-modal-status" element
is added in edit_fields_modal.hbs and we also modify the css
accordingly. This "edit-fields-modal-status" is used only for
this modal and remains empty for others, so this change does not
cause problems with other modals.

There is another element which uses "edit-linkifier-status" as a
class, but the css we defined was for "edit-linkifier-status" as
id, so the css change is also safe.
2021-06-24 16:55:23 -07:00
Tim Abbott 16b2427810 Revert "puppeteer_tests: Extract out testing changing policies for streams."
This appears to be failing in CI.

This reverts commit 98ccaceafc.
2021-06-24 14:50:08 -07:00
Ganesh Pawar 98ccaceafc puppeteer_tests: Extract out testing changing policies for streams. 2021-06-24 14:08:49 -07:00
sahil839 98bb0f7b28 settings: Show spinner inside the confirm button for confirm_dialog.
We show a spinner inside the button instead of hiding the button
and then showing the spinner in the bottom area. We also disable
the button to avoid repetitive clicking by user.
2021-06-24 09:48:42 -07:00
Rohitt Vashishtha 98f8d94b25 linkifiers: Add joint validation for linkifier urls and patterns.
We now validate the linkifier urls and patterns together, and add
the following additional checks:

1. All groups in the pattern must be used in the URL format string.
2. All groups in the URL format string must be declared in the pattern.

Linkifier pattern is now validated inside the `clean` method.
`filter_pattern_validator` is moved from `clean_fields` to `clean`
method as a safe check. As a result of this, a Puppeteer test case
is updated.

NOTE: The changes here are IN ADDITION to the existing validations.

Fixes #16482.

Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-16 17:51:33 -07:00
Riken Shah 405073d590 puppeteer: Fix the selector for opening the message action menu.
In this 90041ff453,
we remove the `info` class from the message action
menu, that's why it was failing.

This commit replaces it with the correct selector.
2021-06-12 09:00:57 -04:00
Tim Abbott c18ef0b93f puppeteer: Stop using .info class to find element.
In 90041ff453, I failed to consider the
possibility we would be relying on this badly named element directly
in tests.
2021-06-11 18:08:36 -07:00
Ganesh Pawar 19fb6114d7 message_edit: Migrate to using `confirm_dialog`. 2021-06-10 12:23:48 -07:00
Riken Shah f95c539122 custom_check: Avoid use of assert to avoid confusion with assert.equal.
This commit bans the use of `assert` and replaces it
with `assert.ok` to avoid confusion with `assert.equal`.

Fixes #18687.
2021-06-10 09:15:57 -07:00
Anders Kaseorg 5e80068134 puppeteer_tests: Replace incorrect assert calls with assert.equal.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-06-10 09:15:36 -07:00
aryanshridhar 418c40b2ea settings_users: Refactor user_deactivation modal to confirm_dialog module.
The "email" span in the old modal was not used for styling, just to
support updating the field visually.
2021-06-08 17:57:27 -07:00
Anders Kaseorg abce4b6555 puppeteer_tests: Use assert.equal.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-06-08 10:16:53 -07:00
Anders Kaseorg c446435f54 puppeteer_tests: Use assert.match.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-06-08 10:16:53 -07:00
Riken Shah 7ae5e7287b puppeteer_test: Add `wait_for_modal_to_close` method to `CommonUtils`.
This commit adds the `wait_for_modal_to_close` method
and replaces all the instances where we are using jQuery
to check if the modal is closed.
2021-06-03 09:23:54 -07:00
Riken Shah 9dcc94841a puppeteer_tests: Change `test_get_api_key` order to fix the flake.
I tried different methods/strategies to find the reason for
this flake. But sadly I couldn't find the actual reason
for its failure.
(Read https://chat.zulip.org/#narrow/stream/43-automated-testing/topic/upgrading.20puppeteer.20to.209.2E1.2E1)

Somehow changing of test order i.e moving
`test_get_api_key` after `test_change_password` seems
to fix the flake.
2021-06-02 15:47:34 -07:00
Riken Shah fe30cfe680 puppeteer: Add `realm-linkifier.ts` test after fixing all the flakes.
9126ed33c9 commit removed this test as it
was very flaky.
2021-06-02 15:47:34 -07:00
Riken Shah 6cab6b31fb puppeteer_tests: Wait until the settings modal is completely open. 2021-06-02 15:47:34 -07:00
Riken Shah 8e780a67c3 puppeteer_tests: Add missing `waitFor` call to avoid rare flake.
This commit fixes a rare flake where it accidentally clicks
on "Subscribe to more streams"  instead of "Verona"
(stream). This happens because `#stream_filters` list
was not completely updated, i.e. It still had "Venice" and
"Verona" on the list, when it searched for "ver".
When it decided to click on the "Verona", "Venice"
disappeared, which causes "Verona" to move up and
causing "Subscribe to more streams" to click.
2021-06-02 15:47:34 -07:00
Sumanth V Rao 634a8ad345 puppeteer: Fallback to default waitForSelect timeout.
On slower systems it may take more than 4 seconds for the
stataus message to dissapear from the DOM, so it's better
to wait for the default duration of 30 seconds before
proceeding.

Thanks to @Riken-Shah for suggesting the fix.
2021-05-24 23:11:41 -07:00
Tim Abbott 9126ed33c9 puppeteer: Remove failing linkifier tests.
I'm not sure that settings UI is particularly worth having puppeteer
tests for, so it's possible we shouldn't bring these back at all.  But
in any case, it's worth disabling them as they've been failing for
some time.
2021-05-18 19:16:47 -07:00
Riken Shah e4bbfe5eb7 puppeteer_test: Add wait call for linkifier table to get updated.
This commit solves a rare flake, where the `realm
_linkifier.ts` test was failing because there was no
appropriate wait call for the table
(`#admin_linkifiers_table`) to get updated after editing
the pattern.
2021-05-18 18:46:17 -07:00
Riken Shah 2015d55a17 puppeteer_test: Use edit linkifier modal's id to check if it's closed. 2021-05-18 18:46:17 -07:00
akshatdalton 7632541afb edit_linkifier: Remove unnecessary error message display.
We want the error message that we get on editing the
linkifier to be displayed only on the edit linkifier modal.
2021-05-12 20:32:35 -07:00
akshatdalton 70f23fc422 puppeteer: Add test case to test realm playground deletion. 2021-05-12 20:32:35 -07:00