Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[UPMERGE] 2.0 -> bootstrap-admin-panel #16250

Merged
merged 36 commits into from
May 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
6ca4a6a
[Maintenance] Update docker docs
Wojdylak May 8, 2024
3fa947e
[Maintenance] Remove unnecessary line
Wojdylak May 8, 2024
ac1d727
Add wider support for deprecation contract
Jibbarth May 8, 2024
d4812f9
Fix potential xss in admin panel
mpysiak May 6, 2024
29d18a3
Use function from UIBundle
mpysiak May 6, 2024
c11c424
Fix product-auto-complete
mpysiak May 7, 2024
0a7fe9e
Add js sanitizeInput function
mpysiak Apr 30, 2024
89880cd
Add sanitizer function to UIBundle
mpysiak May 6, 2024
19cea9a
Use function from UIBundle
mpysiak May 6, 2024
3d66fb0
[AddressBook] Add scenario for preventing from a potential XSS attack
GSadee May 9, 2024
9255540
[Checkout] Add scenario for preventing from a potential XSS attack
GSadee May 10, 2024
30de6ff
[Behat] Minor scenarios improvements after code review
GSadee May 10, 2024
a17de6d
Test adding new taxon
mpysiak May 10, 2024
d25edf3
Test adding new simple product
mpysiak May 10, 2024
63c3cf7
Test adding similar products
mpysiak May 10, 2024
679e793
Fixes after CR
mpysiak May 10, 2024
9427336
bug #69 Fix potential xss in AdressBook and Checkout (mpysiak, GSadee)
GSadee May 10, 2024
ba4b66d
bug #76 Fix potential xss in admin panel (mpysiak)
GSadee May 10, 2024
3b82e93
[Behat] Minor scenarios improvements
GSadee May 10, 2024
fb0ecb2
bugfix #16241 [Security] Fixes for potential XSS in the Checkout, Add…
TheMilek May 10, 2024
0773297
minor #16232 [Maintenance] Update docker docs (Wojdylak)
GSadee May 10, 2024
a504048
minor #16233 Add wider support for deprecation contract (Jibbarth)
GSadee May 10, 2024
3bc2117
Merge branch '1.12' into 1.13
GSadee May 10, 2024
6154b8c
Merge branch '1.13' into 1.14
GSadee May 10, 2024
01e7fa5
Merge branch '1.14' into 2.0
GSadee May 10, 2024
d29310a
Change application's version to v1.12.16
GSadee May 10, 2024
90d580f
Generate changelog for v1.12.16
GSadee May 10, 2024
56c8725
Change application's version to v1.12.17-dev
GSadee May 10, 2024
eb7b641
Merge branch '1.12' into 1.13
GSadee May 10, 2024
1fb4aa9
Merge branch '1.13' into 1.14
GSadee May 10, 2024
0dd7b7f
Merge branch '1.14' into 2.0
GSadee May 10, 2024
22bc3d9
Change application's version to v1.13.1
GSadee May 10, 2024
f14bca0
Generate changelog for v1.13.1
GSadee May 10, 2024
4244cfc
Change application's version to v1.13.2-dev
GSadee May 10, 2024
b260046
Merge branch '1.13' into 1.14
GSadee May 10, 2024
1ccdd63
Merge branch '1.14' into 2.0
GSadee May 10, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
17 changes: 7 additions & 10 deletions docs/book/installation/installation_with_docker.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ testing, and implementation. Docker significantly reduces the delay between writ

.. note::

Make sure you have `Docker <https://docs.docker.com/get-docker/>`_ installed on your local machine.
Make sure you have `Docker <https://docs.docker.com/get-docker/>`_ and `make <https://www.gnu.org/software/make/manual/make.html/>`_ installed on your local machine.

Project Setup
-------------
Expand All @@ -29,15 +29,12 @@ with Sylius-Standard content.
Development
-----------

`Sylius Standard <https://github.com/Sylius/Sylius-Standard>`_ comes with the `multi-stage build <https://docs.docker.com/develop/develop-images/multistage-build/>`_.
You can execute it via the ``docker compose up -d`` command in your favorite terminal. Please note that the speed of building images
and initializing containers depends on your local machine and internet connection - it may take some time. Then enter ``localhost`` in your browser or execute ``open localhost`` in your terminal.
`Sylius Standard <https://github.com/Sylius/Sylius-Standard>`_ comes with the `docker compose <https://docs.docker.com/compose/>`_ configuration.
You can start the development environment via the ``make init`` command in your favorite terminal. Please note that the speed of building images
and initializing containers depends on your local machine and internet connection - it may take some time.
Then enter ``localhost`` in your browser or execute ``open http://localhost/`` in your terminal.

.. code-block:: bash

docker compose up -d
open localhost

.. tip::

:doc:`Learn how to deploy Sylius-Standard production ready Docker Compose configuration </cookbook/deployment/docker>`
make init
open http://localhost/
33 changes: 0 additions & 33 deletions docs/cookbook/deployment/docker.rst

This file was deleted.

1 change: 0 additions & 1 deletion docs/cookbook/deployment/map.rst.inc
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
* :doc:`/cookbook/deployment/platform-sh`
* :doc:`/cookbook/deployment/cron-jobs`
* :doc:`/cookbook/deployment/docker`
1 change: 0 additions & 1 deletion docs/cookbook/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,6 @@ Deployment

deployment/platform-sh
deployment/cron-jobs
deployment/docker

.. include:: /cookbook/deployment/map.rst.inc

Expand Down
3 changes: 0 additions & 3 deletions docs/getting-started-with-sylius/deployment.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,11 @@ application deployment into the server. We believe, that it should be as easy an

Check out our deployment cookbooks:


.. tip::

- 👉 :doc:`How to deploy Sylius to Platform.sh? </cookbook/deployment/platform-sh>`
- 🐳 :doc:`How to deploy Sylius with Docker </cookbook/deployment/docker>`

Learn more about the deployment platforms
-----------------------------------------

* `Platform.sh <https://docs.platform.sh>`_
* `Docker <https://docker.com/>`_
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
@managing_products
Feature: Preventing a potential XSS attack while adding a new product
In order to keep my information safe
As an Administrator
I want to be protected against the potential XSS attacks

Background:
Given the store operates on a single channel in "United States"
And the store has "<script>alert('xss')</script>" taxonomy
And the store has "No XSS" taxonomy
And I am logged in as an administrator

@ui @javascript @no-api
Scenario: Preventing a potential XSS attack while adding new product
When I want to create a new simple product
Then I should be able to name it "No XSS" in "English (United States)"

@ui @javascript @no-api
Scenario: Preventing a potential XSS attack while choosing main taxon for a new product
When I want to create a new simple product
Then I should be able to choose main taxon "No XSS"
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
@managing_products
Feature: Preventing a potential XSS attack while selecting similar product
In order to keep my information safe
As an Administrator
I want to be protected against the potential XSS attacks

Background:
Given the store operates on a single channel in "United States"
And the store has a product association type "Accessories"
And the store has "<script>alert('xss')</script>" and "LG headphones" products
And I am logged in as an administrator

@ui @javascript @no-api
Scenario: Preventing a potential XSS attack while editing product
When I want to create a new simple product
Then I should be able to associate as "Accessories" the "LG headphones" product
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
@managing_taxons
Feature: Preventing a potential XSS attack while adding a new taxon
In order to keep my information safe
As an Administrator
I want to be protected against the potential XSS attacks

Background:
Given the store operates on a single channel in "United States"
And the store has "Category" taxonomy
And the store has "<script>alert('xss')</script>" taxonomy
And I am logged in as an administrator

@ui @javascript @no-api
Scenario: Preventing a potential XSS attack while adding new taxon
When I want to create a new taxon
Then I should be able to change its parent taxon to "Category"
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
@address_book
Feature: Preventing a potential XSS attack during updating the address
In order to keep my information safe
As a Customer
I want to be protected against the potential XSS attacks

Background:
Given the store operates on a single channel in "United States"
And I am a logged in customer
And I have an address "Lucifer Morningstar", "Seaside Fwy", "90802", "Los Angeles", "United States", "Arkansas" in my address book
And this address has province '<img """><script>alert("XSS")</script>">'

@ui @javascript @no-api
Scenario: Preventing a potential XSS attack during updating the address
When I want to edit the address of "Lucifer Morningstar"
Then I should be able to update it without unexpected alert
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
@checkout
Feature: Preventing a potential XSS attack during updating the address in the checkout
In order to keep my information safe
As a Visitor
I want to be protected against the potential XSS attacks

Background:
Given the store operates on a single channel in "United States"
And the store has a product "PHP T-Shirt" priced at "$19.99"
And the store ships everywhere for Free
And I have product "PHP T-Shirt" in the cart
And I am at the checkout addressing step

@ui @javascript @no-api
Scenario: Preventing a potential XSS attack during updating the address in the checkout
When I specify the email as "john.doe@example.com"
And I specify the billing address as "Ankh Morpork", "Frost Alley", "90210", "United States" for "Jon Doe"
And I specify the province name manually as '<img """><script>alert("XSS")</script>">' for billing address
And I complete the addressing step
And I decide to change my address
Then I should be able to update the address without unexpected alert
13 changes: 13 additions & 0 deletions src/Sylius/Behat/Context/Setup/AddressContext.php
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,19 @@ public function iHaveAnAddressInAddressBook(ShopUserInterface $user, AddressInte
$customer = $user->getCustomer();

$this->addAddressToCustomer($customer, $address);

$this->sharedStorage->set('address', $address);
}

/**
* @Given this address has province :province
*/
public function thisAddressHasProvince(string $provinceName): void
{
$address = $this->sharedStorage->get('address');
$address->setProvinceName($provinceName);

$this->customerManager->flush();
}

/**
Expand Down
3 changes: 3 additions & 0 deletions src/Sylius/Behat/Context/Ui/Admin/ManagingProductsContext.php
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ public function iSpecifyItsCodeAs(?string $code = null): void
* @When I do not name it
* @When I name it :name in :language
* @When I rename it to :name in :language
* @When I should be able to name it :name in :language
*/
public function iRenameItToIn(?string $name = null, ?string $language = null): void
{
Expand Down Expand Up @@ -777,6 +778,7 @@ public function iShouldNotBeAbleToEditItsOptions(): void

/**
* @When /^I choose main (taxon "[^"]+")$/
* @Then /^I should be able to choose main (taxon "[^"]+")$/
*/
public function iChooseMainTaxon(TaxonInterface $taxon)
{
Expand Down Expand Up @@ -881,6 +883,7 @@ public function iSelectVariantForTheFirstImage(ProductVariantInterface $productV
/**
* @When I associate as :productAssociationType the :productName product
* @When I associate as :productAssociationType the :firstProductName and :secondProductName products
* @Then I should be able to associate as :productAssociationType the :productName product
*/
public function iAssociateProductsAsProductAssociation(
ProductAssociationTypeInterface $productAssociationType,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ public function iDescribeItAs($description, $language)
/**
* @Given /^I set its (parent taxon to "[^"]+")$/
* @Given /^I change its (parent taxon to "[^"]+")$/
* @Then /^I should be able to change its (parent taxon to "[^"]+")$/
*/
public function iChangeItsParentTaxonTo(TaxonInterface $taxon)
{
Expand Down
11 changes: 10 additions & 1 deletion src/Sylius/Behat/Context/Ui/Shop/AddressBookContext.php
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,9 @@ public function __construct(

/**
* @Given I am editing the address of :fullName
* @When I want to edit the address of :fullName
*/
public function iEditAddressOf($fullName)
public function iEditAddressOf(string $fullName): void
{
$this->sharedStorage->set('full_name', $fullName);

Expand Down Expand Up @@ -350,6 +351,14 @@ public function addressShouldBeMarkedAsMyDefaultAddress(AddressInterface $addres
Assert::same($actualFullName, $expectedFullName);
}

/**
* @Then I should be able to update it without unexpected alert
*/
public function iShouldBeAbleToUpdateItWithoutUnexpectedAlert(): void
{
$this->addressBookUpdatePage->waitForFormToStopLoading();
}

/**
* @param string $fullName
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,14 @@ public function shouldHaveCountriesToChooseFrom(string ...$countries): void
Assert::same($availableBillingCountries, $countries);
}

/**
* @Then I should be able to update the address without unexpected alert
*/
public function iShouldBeAbleToUpdateTheAddressWithoutUnexpectedAlert(): void
{
$this->addressPage->waitForFormToStopLoading();
}

/**
* @return AddressInterface
*/
Expand Down
5 changes: 5 additions & 0 deletions src/Sylius/Behat/Page/Shop/Account/AddressBook/UpdatePage.php
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,11 @@ public function selectCountry(string $name): void
JQueryHelper::waitForFormToStopLoading($this->getDocument());
}

public function waitForFormToStopLoading(): void
{
JQueryHelper::waitForFormToStopLoading($this->getDocument());
}

public function saveChanges(): void
{
JQueryHelper::waitForFormToStopLoading($this->getDocument());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,7 @@ public function selectProvince(string $name): void;

public function selectCountry(string $name): void;

public function waitForFormToStopLoading(): void;

public function saveChanges(): void;
}
5 changes: 5 additions & 0 deletions src/Sylius/Behat/Page/Shop/Checkout/AddressPage.php
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,11 @@ public function getAvailableBillingCountries(): array
return $this->getOptionsFromSelect($this->getElement('billing_country'));
}

public function waitForFormToStopLoading(): void
{
JQueryHelper::waitForFormToStopLoading($this->getDocument());
}

protected function getDefinedElements(): array
{
return array_merge(parent::getDefinedElements(), [
Expand Down
2 changes: 2 additions & 0 deletions src/Sylius/Behat/Page/Shop/Checkout/AddressPageInterface.php
Original file line number Diff line number Diff line change
Expand Up @@ -81,4 +81,6 @@ public function getAvailableBillingCountries(): array;
public function isDifferentShippingAddressChecked(): bool;

public function isShippingAddressVisible(): bool;

public function waitForFormToStopLoading(): void;
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import 'semantic-ui-css/components/api';
import 'semantic-ui-css/components/checkbox';
import $ from 'jquery';
import { sanitizeInput } from "sylius/ui/sylius-sanitizer";

const createRootContainer = function createRootContainer() {
return $('<div class="ui list"></div>');
Expand Down Expand Up @@ -81,7 +82,7 @@ $.fn.extend({
onSuccess(response) {
response.forEach((leafNode) => {
leafContainerElement.append((
createLeafFunc(leafNode.name, leafNode.code, leafNode.hasChildren, multiple, leafNode.level)
createLeafFunc(sanitizeInput(leafNode.name), sanitizeInput(leafNode.code), leafNode.hasChildren, multiple, leafNode.level)
));
});
content.append(leafContainerElement);
Expand Down Expand Up @@ -169,7 +170,7 @@ $.fn.extend({
const rootContainer = createRootContainer();
response.forEach((rootNode) => {
rootContainer.append((
createLeaf(rootNode.name, rootNode.code, rootNode.hasChildren, multiple, rootNode.level)
createLeaf(sanitizeInput(rootNode.name), sanitizeInput(rootNode.code), rootNode.hasChildren, multiple, rootNode.level)
));
});
tree.append(rootContainer);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
*/

import $ from 'jquery';
import { sanitizeInput } from 'sylius/ui/sylius-sanitizer';

const getProvinceInputValue = function getProvinceInputValue(valueSelector) {
return valueSelector == undefined ? '' : `value="${valueSelector}"`;
return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`;
};

$.fn.extend({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@

import 'semantic-ui-css/components/dropdown';
import $ from 'jquery';
import { sanitizeInput } from "./sylius-sanitizer";

$.fn.extend({
autoComplete() {
Expand Down Expand Up @@ -37,8 +38,8 @@ $.fn.extend({
},
onResponse(response) {
let results = response.map(item => ({
name: item[choiceName],
value: item[choiceValue],
name: sanitizeInput(item[choiceName]),
value: sanitizeInput(item[choiceValue]),
}));

if (!element.hasClass('multiple')) {
Expand Down Expand Up @@ -72,7 +73,7 @@ $.fn.extend({
onSuccess(response) {
response.forEach((item) => {
menuElement.append((
$(`<div class="item" data-value="${item[choiceValue]}">${item[choiceName]}</div>`)
$(`<div class="item" data-value="${item[choiceValue]}">${sanitizeInput(item[choiceName])}</div>`)
));
});

Expand Down