Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WCAG Merge, localization, and custom fields fixes #87

Merged
merged 54 commits into from
May 30, 2018
Merged

WCAG Merge, localization, and custom fields fixes #87

merged 54 commits into from
May 30, 2018

Conversation

mostekcm
Copy link
Contributor

@mostekcm mostekcm commented Feb 12, 2018
edited
Loading

This is another fairly significant update. Phase 1 is to add validation support for the fields.

This does both client side and server side validation. The server side validation is really just to prevent users from circumventing the client side validation. It will also protect against role escalation by protecting against a user creating another user with a higher level role that they would have access to.

In order to make this considerably easier, I did a significant refactor on the dialogs. They are now using common code. This could potentially use another iteration as there is still a ton of template-able code in the dialogs.

@Verlic
Copy link

Verlic commented Feb 12, 2018
edited
Loading

MD5: ff035bff2dcf972ee7dfd023455997ef

NSP - Security Report

This is an automated security audit of this project. Please do not modify its contents

Vulnerabilities found: 18
Affected Modules: hoek, hoek, hoek, hoek, superagent, superagent, superagent, mime, mime, mime, mime, mime, superagent, superagent, debug, fresh, safe-eval, superagent
Summary:

  • Prototype pollution attack
  • Prototype pollution attack
  • Prototype pollution attack
  • Prototype pollution attack
  • Large gzip Denial of Service
  • Large gzip Denial of Service
  • Large gzip Denial of Service
  • Regular Expression Denial of Service
  • Regular Expression Denial of Service
  • Regular Expression Denial of Service
  • Regular Expression Denial of Service
  • Regular Expression Denial of Service
  • Large gzip Denial of Service
  • Large gzip Denial of Service
  • Regular Expression Denial of Service
  • Regular Expression Denial of Service
  • Sandbox Breakout
  • Large gzip Denial of Service

Detailed report

Prototype pollution attack

Affected Module: hoek
Installed version: 2.16.3
Patched versions: > 4.2.0 < 5.0.0 || >= 5.0.3
Advisory: https://nodesecurity.io/advisories/566
Path: auth0-delegated-admin@3.0.0 > auth0-extension-express-tools@1.1.0 > webtask-tools@3.2.0 > boom@2.10.1 > hoek@2.16.3

Prototype pollution attack

Affected Module: hoek
Installed version: 2.16.3
Patched versions: > 4.2.0 < 5.0.0 || >= 5.0.3
Advisory: https://nodesecurity.io/advisories/566
Path: auth0-delegated-admin@3.0.0 > auth0-extension-tools@1.2.1 > jsonwebtoken@7.4.3 > joi@6.10.1 > hoek@2.16.3

Prototype pollution attack

Affected Module: hoek
Installed version: 2.16.3
Patched versions: > 4.2.0 < 5.0.0 || >= 5.0.3
Advisory: https://nodesecurity.io/advisories/566
Path: auth0-delegated-admin@3.0.0 > jsonwebtoken@7.4.3 > joi@6.10.1 > hoek@2.16.3

Prototype pollution attack

Affected Module: hoek
Installed version: 2.16.3
Patched versions: > 4.2.0 < 5.0.0 || >= 5.0.3
Advisory: https://nodesecurity.io/advisories/566
Path: auth0-delegated-admin@3.0.0 > webtask-tools@3.2.0 > boom@2.10.1 > hoek@2.16.3

Large gzip Denial of Service

Affected Module: superagent
Installed version: 1.8.5
Patched versions: >=3.7.0
Advisory: https://nodesecurity.io/advisories/479
Path: auth0-delegated-admin@3.0.0 > auth0-extension-express-tools@1.1.0 > webtask-tools@3.2.0 > superagent@1.8.5

Large gzip Denial of Service

Affected Module: superagent
Installed version: 1.8.5
Patched versions: >=3.7.0
Advisory: https://nodesecurity.io/advisories/479
Path: auth0-delegated-admin@3.0.0 > auth0-extension-tools@1.2.1 > webtask-tools@2.2.0 > superagent@1.8.5

Large gzip Denial of Service

Affected Module: superagent
Installed version: 1.8.5
Patched versions: >=3.7.0
Advisory: https://nodesecurity.io/advisories/479
Path: auth0-delegated-admin@3.0.0 > webtask-tools@3.2.0 > superagent@1.8.5

Regular Expression Denial of Service

Affected Module: mime
Installed version: 1.3.4
Patched versions: >= 1.4.1 < 2.0.0 || >= 2.0.3
Advisory: https://nodesecurity.io/advisories/535
Path: auth0-delegated-admin@3.0.0 > auth0-extension-express-tools@1.1.0 > webtask-tools@3.2.0 > superagent@1.8.5 > mime@1.3.4

Regular Expression Denial of Service

Affected Module: mime
Installed version: 1.3.4
Patched versions: >= 1.4.1 < 2.0.0 || >= 2.0.3
Advisory: https://nodesecurity.io/advisories/535
Path: auth0-delegated-admin@3.0.0 > auth0-extension-tools@1.2.1 > webtask-tools@2.2.0 > superagent@1.8.5 > mime@1.3.4

Regular Expression Denial of Service

Affected Module: mime
Installed version: 1.3.4
Patched versions: >= 1.4.1 < 2.0.0 || >= 2.0.3
Advisory: https://nodesecurity.io/advisories/535
Path: auth0-delegated-admin@3.0.0 > express@4.14.0 > send@0.14.1 > mime@1.3.4

Regular Expression Denial of Service

Affected Module: mime
Installed version: 1.3.4
Patched versions: >= 1.4.1 < 2.0.0 || >= 2.0.3
Advisory: https://nodesecurity.io/advisories/535
Path: auth0-delegated-admin@3.0.0 > superagent@1.2.0 > mime@1.3.4

Regular Expression Denial of Service

Affected Module: mime
Installed version: 1.3.4
Patched versions: >= 1.4.1 < 2.0.0 || >= 2.0.3
Advisory: https://nodesecurity.io/advisories/535
Path: auth0-delegated-admin@3.0.0 > webtask-tools@3.2.0 > superagent@1.8.5 > mime@1.3.4

Large gzip Denial of Service

Affected Module: superagent
Installed version: 2.3.0
Patched versions: >=3.7.0
Advisory: https://nodesecurity.io/advisories/479
Path: auth0-delegated-admin@3.0.0 > auth0-extension-express-tools@1.1.0 > auth0-extension-tools@1.3.1 > superagent@2.3.0

Large gzip Denial of Service

Affected Module: superagent
Installed version: 2.3.0
Patched versions: >=3.7.0
Advisory: https://nodesecurity.io/advisories/479
Path: auth0-delegated-admin@3.0.0 > auth0-extension-tools@1.2.1 > superagent@2.3.0

Regular Expression Denial of Service

Affected Module: debug
Installed version: 2.2.0
Patched versions: >= 2.6.9 < 3.0.0 || >= 3.1.0
Advisory: https://nodesecurity.io/advisories/534
Path: auth0-delegated-admin@3.0.0 > express@4.14.0 > debug@2.2.0

Regular Expression Denial of Service

Affected Module: fresh
Installed version: 0.3.0
Patched versions: >= 0.5.2
Advisory: https://nodesecurity.io/advisories/526
Path: auth0-delegated-admin@3.0.0 > express@4.14.0 > fresh@0.3.0

Sandbox Breakout

Affected Module: safe-eval
Installed version: 0.3.0
Patched versions: <0.0.0
Advisory: https://nodesecurity.io/advisories/337
Path: auth0-delegated-admin@3.0.0 > safe-eval@0.3.0

Large gzip Denial of Service

Affected Module: superagent
Installed version: 1.2.0
Patched versions: >=3.7.0
Advisory: https://nodesecurity.io/advisories/479
Path: auth0-delegated-admin@3.0.0 > superagent@1.2.0

Oleksandr Zarubin and others added 25 commits February 16, 2018 17:09
validation errors; suppressRawData restrictions
54028d4
cleanup, tests and focusable menu
7e8cbee
component name fix
ce7efc4
title for admin, link to dashboard
6ba3f4c
@mostekcm
Merge pull request #28 from zxan1285/form-validation
3137052 
Validation Errors
@mostekcm
Protect extra patch fields and add example userUsersTabTitle
0bcc941
@mostekcm
Fix a couple of warnings/errors, also remove fields for user form tha…
96049cc 
…t aren't defined as create fields, fix connection label bug
optional logoutUrl; logout onKeyUp (Enter key)
6c963bf
optional logoutUrl; logout onKeyUp (Enter key)
ceff52a
tests fix
bc66e2e
localization fixes for errors, logs, searchbar, pagination...
2549fa9
localization for errors
7f0bd47
@zxan1285
errors validation
6c1402b
@zxan1285
reducers tests fixed
61712e0
@zxan1285
localizable log description (by type)
9002f8b
@mostekcm
Merge pull request #31 from zxan1285/errormsg-localization
211d587 
Errormsg localization
@mostekcm
Merge pull request #29 from zxan1285/logout-fix
0daf720 
Logout fix
@mostekcm
fixed bug in the server side validation of complex options also put u…
a64f223 
…sername back instead of description or log description if it is in the log
@mostekcm
bump auth0-extension-ui version
0fdf536
@zxan1285 @mostekcm
Localization fixes and errorTranslator function (#32)
7fae087 
* localizable placeholders for custom fields

* localizable confirm dialog buttons

* errorTranslator function
@zxan1285 @mostekcm
Remove MFA (Guardian) fix (#33)
fd34e1c 
* remove guardian fix; dashboard admin access_token fix

* remove multiple mfa
@mostekcm
make default example same as actual default
ac830ec 
fix another en.json example
@zxan1285 @mostekcm
Bugfixing (#34)
abffde7 
* localizable confirm dialog buttons

* errorTranslator function

* reload settings when settings hook is saved

* username field validation fix; email/username change fix
@zxan1285 @mostekcm
Localization fixes (#35)
3dcaf0c 
* localizable confirm dialog buttons

* localizable confirm dialog buttons

* errorTranslator function

* errorTranslator function

* localizable labels

* user info labels

* logs localization fixes; added missed logTypes; complete dictionary

* new setting props

* unit-tests

* restore nyc for unit-tests

* auditor (read-only) role
@zxan1285 @mostekcm
Alternative css (for 200% fonts and other stuff) (#37)
7c218d2 
* localizable confirm dialog buttons

* localizable confirm dialog buttons

* localizable confirm dialog buttons

* errorTranslator function

* errorTranslator function

* errorTranslator function

* unit-tests

* restore nyc for unit-tests

* hidden label for searchBar

* dynamic page title

* image and icon titles

* Meaningful sequence: focus results after search; tests

* alternative custom css

* docs, examples and cleanup

* tests

* log description for user logs + tests

* locale
zxan1285 and others added 24 commits March 6, 2018 11:29
@zxan1285 @mostekcm
Wcag fixes (#36)
f7c9427 
* localizable confirm dialog buttons

* errorTranslator function

* reload settings when settings hook is saved

* username field validation fix; email/username change fix

* localizable confirm dialog buttons

* localizable confirm dialog buttons

* errorTranslator function

* errorTranslator function

* localizable labels

* user info labels

* logs localization fixes; added missed logTypes; complete dictionary

* new setting props

* unit-tests

* restore nyc for unit-tests

* auditor (read-only) role

* hidden label for searchBar

* dynamic page title

* image and icon titles

* Meaningful sequence: focus results after search; tests
@zxan1285 @mostekcm
Locale and edit.display fixes (#38)
d167a17 
* mandatory locale

* edit.display for change forms

* get style settings instead of checking localstorage directly
@zxan1285
extension-ui version + minor localization fixes
c62deee
@sgmeyer
Merge pull request #39 from zxan1285/min-fix
d1cca3d 
extension-ui version + minor localization fixes
@zxan1285 @mostekcm
display func with dictionary access (#40)
2ad90b7 
LGTM
@zxan1285 @mostekcm
Bugfixing (#41)
b1e18c4 
* locale url fixes, usersTable and display func fixes, dictionary request headers fix

* undefined css fix

The one thing I'm wondering is whether the redirectUri change will be a problem with the callbackUrls...  I'm not sure it should be necessary.  We should be able to find a way around that...
@mostekcm
Fix default log event name
8a9902f
@mostekcm
Add logTableDefaultLogRecordDescription, this will override any missi…
4ede645 
…ng lotType description, this should ONLY be used if you really don't want any non-localized values
@zxan1285 @mostekcm
Bugfixing (#42)
8892e37 
* display for picture

* login redirect fix

* mfa tests fix

* listOrder fix
@zxan1285 @mostekcm
display function for client field (reset password action) (#43)
c322083
@mostekcm
fix search filter label for when no dictionary but have a label
9c271fb
@mostekcm
fix default fields for create getting removed
79c1c03
@mostekcm
Fix change email with server side error
8d0f3ce
@mostekcm
Temporarily copy over multiselect and update to only use the label as…
260283b 
… an option
@mostekcm
put back MultiSelect to auth0-extension-ui and allow custom fields to…
b962b99 
… have a field that gets set during password change
@mostekcm
Pass language dictionary to translate method, also restrict payload f…
386f4ce 
…or onlyTheseFields to only those fields to avoid someone adding an extra field to tag along
@mostekcm
Fetch blocked_for for users and pass language dictionary to validatio…
936a256 
…n functions
@zxan1285 @mostekcm
Custom search/pagination fix (#46)
a17c77c 
* requesting connections by stategy

* limit connections to 100

* use search_engine v3 by default; added SEARCH_ENGINE option

* searchEngine option added to the filter hook

* conn and clients multipart request

* fix "Running in Development" doc

* cleanup

* cleanup

* tools update

* filterBy prop for pagination
@zxan1285
default searchEngine option added; v2 for appliances, v3 for cloud
59de81a
@zxan1285
express-tools fix
5d6002f
@zxan1285
default se fix
d123915
@sgmeyer
Merge pull request #47 from zxan1285/default-se
3206817 
Default searchEngine option
@mostekcm
Fix profile edit
2fa0c16
@mostekcm
fix cli version for auth0-extensions-cli
e8e18f1
@mostekcm mostekcm changed the title [DO NOT MERGE] WCAG Preview WCAG Merge, localization, and custom fields fixes May 30, 2018
@mostekcm mostekcm merged commit e2751f4 into auth0-extensions:master May 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mostekcm @Verlic @zxan1285 @sgmeyer