OCC-223: Upgrade to Orchard Core 1.8

[Psichorex]

OCC-223
Fixes #411

[Psichorex]

@sarahelsaig Could you please checkout this ZAP report and determine how valid of these errors are? They were not present before now with .NET 8 and OC 1.8? maybe they came to live.

2024-02-26-ZAP-Report-localhost.json

[sarahelsaig]

It's nonsense. It tries to inject SQL text into shopping-cart-widget.min.css?v=k7gHY8wfoxBUfO_f_yLhCB7L5QFrXqr1XoCJ8UOqx4I (a static resource) by changing the v argument's value. That argument is not used by the server, it's only there for client side cache busting when the css file changes. So the loading time was "manipulated" by tricking the browser to load an not cached version of the css file. Congrats to the hacker known as ZAP. 🙃

In general I think the "The query time is controllable using parameter value [some SQL injection]" type errors are safe to ignore, because we never handle raw SQL and usually it's like a few hundred millisecond difference which can be simply random fluctuation, one request incidentally triggering .NET garbage collection and the other not, etc

[Psichorex]

Okay now I resolved that. The following error still persist though and I also think that this is another close to nonsense error:
2024-02-26 18:17:49.0025 - An exception has occurred while interacting with the page https://localhost:9027/ (My Shop - Orchard Setup). 2024-02-26 18:17:49.0045 - The test failed with the following exception: Shouldly.ShouldAssertException: Shouldly uses your source code to generate its great error messages, build your test project with full debug information to get better error messages The provided expression should be empty but had 1 item and was ["2024-02-26 19:17:27.7620|Default|00-d1384c43efd3c6f22046919e903789ca-d537c6bb36bf1168-00||Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware|ERROR|An unhandled exception has occurred while executing the request. System.IO.IOException: A fájlnév, a könyvtárnév vagy a kötetcímke szintaxisa nem megfelelő. : 'C:\Lombiq\OrchardCore.Commerce\test\OrchardCore.Commerce.Tests.UI\bin\Debug\net8.0\Temp\9db19990-aafe-4978-8627-a44ef46e07cd\App\App_Data\Sites\Default\Media\ProductImages\sample-product-image.png\'"] at Lombiq.Tests.UI.Extensions.WebApplicationInstanceExtensions.LogsShouldBeEmptyAsync(IWebApplicationInstance webApplicationInstance, Boolean canContainWarnings, ICollection 1 permittedErrorLines, CancellationToken cancellationToken) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task, ConfigureAwaitOptions options) at Lombiq.Tests.UI.Extensions.VerificationUITestContextExtensions.AssertLogsAsync(UITestContext context) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Lombiq.Tests.UI.Extensions.VerificationUITestContextExtensions.AssertLogsAsync(UITestContext context) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task, ConfigureAwaitOptions options) at Lombiq.Tests.UI.Services.UITestExecutionSession.ExecuteAsync(Int32 retryCount, String dumpRootPath) 2024-02-26 18:17:49.2918 INFO > Take page snapshot #01 - FailureDumpPageSnapshot 2024-02-26 18:17:51.3444 WARN - Failed to take CDP snapshot. PageSource snapshot will be taken. OpenQA.Selenium.WebDriverException: Unexpected error creating WebSocket DevTools session. ---> OpenQA.Selenium.WebDriverException: DevTools version is not in the supported range. Desired version=121, range=5. Supported versions: 116, 115, 114, 85 at OpenQA.Selenium.DevTools.DevToolsDomains.MatchDomainsVersion(Int32 desiredVersion, Int32 versionRange) at OpenQA.Selenium.DevTools.DevToolsDomains.InitializeDomains(Int32 protocolVersion, DevToolsSession session, Int32 versionRange) at OpenQA.Selenium.DevTools.DevToolsDomains.InitializeDomains(Int32 protocolVersion, DevToolsSession session) at OpenQA.Selenium.DevTools.DevToolsSession.StartSession(Int32 requestedProtocolVersion) at OpenQA.Selenium.Chromium.ChromiumDriver.<>c__DisplayClass34_1.<<GetDevToolsSession>b__0>d.MoveNext() --- End of stack trace from previous location --- at OpenQA.Selenium.Chromium.ChromiumDriver.GetDevToolsSession(Int32 devToolsProtocolVersion) --- End of inner exception stack trace --- at OpenQA.Selenium.Chromium.ChromiumDriver.GetDevToolsSession(Int32 devToolsProtocolVersion) at OpenQA.Selenium.Chromium.ChromiumDriver.GetDevToolsSession() at Atata.CdpPageSnapshotStrategy.TakeSnapshot(AtataContext context) at Atata.CdpOrPageSourcePageSnapshotStrategy.TakeSnapshot(AtataContext context) 2024-02-26 18:17:51.3485 INFO < Take page snapshot #01 - FailureDumpPageSnapshot (2.056s) >> "01 - FailureDumpPageSnapshot.html" 2024-02-26 18:17:51.3537 - Attempting to stop the Orchard Core instance. 2024-02-26 18:17:51.3584 - The Orchard Core instance was stopped.

So this by the URI that it whines about seems to be fine. I don't have that temp file that it cries about but under the SQLite snapshots this path seems to be fine and image is there.
This one actually gets caught on CI aswell. https://github.com/OrchardCMS/OrchardCore.Commerce/actions/runs/8006384127?pr=412

Can you spot something maybe that I can't? On CI there is a double OrchardCore.Commerce/OrchardCore.Commerce/ in the path that seems fishy but that is not the case locally set it is failing.

[Psichorex]

Okay so the previous error is coming from a missing Temp folder. Which I have no idea about why is happening. Also it doesn't break anything.

So I don't actually know why we need Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware but the thing is that it is actually running on CI which is not supposed to be Development ENV is also questionable for me.

[Piedone]

Always put these comments above the pragmas.

[sarahelsaig]

Also can you use [SuppressMessage] instead? I suggest only using #pragma inside method bodies. It should be avoided on class/property declarations and method signatures, because it's horrible for readability.

[sarahelsaig]

It generated a bunch of .prettierrc.js files at build. I guess that should be added to the _.gitignore:?

[sarahelsaig]

Also can you use [SuppressMessage] instead? I suggest only using #pragma inside method bodies. It should be avoided on class/property declarations and method signatures, because it's horrible for readability.

[sarahelsaig]

The following error still persist though and I also think that this is another close to nonsense error

That's a known error that I was already working on in #410 before the OC 1.8 upgrade complicated things. It's ZAP probing for path traversal exploits, which correctly results in an error log and UITT should permit this. I ended up disabling path traversal tests altogether, because as long as you only use ASP.NET/OC for resources it's not a real security concern and it generates a ton of error logs and weird false positives. Like this case for example. wtf am I supposed to do with this?

To straighten things out, I've merged this branch into issue/OCC-218 and made its PR target your branch. Sadly this make OCC-218 a blocker for this issue, because you need its changes to fix SecurityScanningTests.

[Psichorex]

This makes much more sense now. Well it's non sense but it makes sense to me at least :D I will halt the progress here in this case. Please ping me if there are any news on OCC-218. I started chewing my hair due to these Security error logs.

[sarahelsaig]

You know times are bad when Roland starts spitting hairballs... 😿

[Psichorex]

You know times are bad when Roland starts spitting hairballs... 😿

After doing OC 1.6 - 1.7 - 1.8 upgrades I am hypersensitive to retardedly failing UI tests. At least now I now whener I see a ?= on the internet I should deploy sql injection attac

[sarahelsaig]

@Psichorex it's good now. Did you need to do anything else or is this ready for review?

[Psichorex]

@Psichorex it's good now. Did you need to do anything else or is this ready for review?
It's up for review. Thanks for saving my hair.

[Psichorex]

It generated a bunch of .prettierrc.js files at build. I guess that should be added to the _.gitignore:?

Same for me. I love random JS commitables.

[sarahelsaig]

Wait, never mind. Please address this first.

[Psichorex]

Wait, never mind. Please address this first.

Thats already pushed. CI is running.

[sarahelsaig]

In this case why isn't this rule turned off altogether? Also based on this issue it seems like if you remove [Serializable] then you don't have to implement the overload with SerializationInfo so the attribute behaves like an opt-in. Also isn't the [Serializable] attribute and the overload you removed related anyway?

[Psichorex]

That is actually true. [Serializable] can be removed here.

[Psichorex]

Could be turned off but this is the first time I came across a problem rooting from this so I wuoldn't actually turn it off now that I could just remove it.

[sarahelsaig]

I asked about turning it off because the text in the Justification made it sound like you are addressing an outdated analyzer rule by suppressing every occurrence individually. That's not ok even if there is only one case. Since removing [Serializable] did the trick we don't have to worry about it.

[sarahelsaig]

Why did you remove the default implementation?

[Psichorex]

Well this was hard to track :(
So basically this warning is the cause :

The warning wants us to use concrete types. The default implementation was not in the concrete type but the interface. So I moved the default inmplementation to the inheritor class instead of the interface. I thought we don't do implementations in interfaces. Looks pretty wierd. I guess it had a reason though. So it was moved to the DefaultAddressFormatter : IAddressFormatted class.

[sarahelsaig]

I looked into the git history of the file and looks like this was from before we took over. I don't think this was ever a good use of the default implementation feature, because this is the only method in the interface so the only reason to create a new class implementing it is to "override" this implementation anyway.
So it was a good thing you did here.