groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-01-27 04:29:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
2212 commits 18 branches 75 tags 116 MiB
Commit graph

2212 commits

This branch
This branch
All branches
Author SHA1 Message Date
Sascha Lenk
3becdd976d
vulnerability Path-relative stylesheet import (PRSSI) fix 
Threat
Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to pathrelative
stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.

Impact
An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including
cross-site scripting (XSS) and exfiltration of CSRF tokens.

Solution
It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target
location for all the relative URLs.
The vulnerability can also be mitigated by using the following best practices to harden the web pages:
• Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
• Set response header X-Frame-Options: deny
• Set response header X-Content-Type-Options: nosniff.

-----------
To me the easiest way to fix this, was adding the base URL. :)
 2023-02-25 23:56:59 +01:00
Jan Böhmer
5b7f44f4ea
Merge pull request #225 from sascha988/patch-2 
vulnerability XSS fix
 2023-02-25 23:47:48 +01:00
Sascha Lenk
dc906bfb0f
vulnerability XSS fix 
The "trans with" command is not automatically escaping the string, so this is a XSS (Cross-Site Scripting) vulnerability.
Tested string: https://URL-TO-PART-DB-SERVER/de/parts/search?keyword=%22'%3E%3Cqss%20a%3D X147208852Y1_1Z%3E

QUALYS Enterprise WAS Scan Report classifies this as level 5 security risk
 2023-02-25 22:42:03 +01:00
Jan Böhmer
b70c9d4f00
Merge pull request #223 from sascha988/patch-1 
Translated parts_list.search.searching_for
 2023-02-25 21:06:44 +01:00
Sascha
03e0584279
Translated parts_list.search.searching_for 
Translated english text string parts_list.search.searching_for into german.
 2023-02-25 21:05:00 +01:00
Jan Böhmer
9dd172df98
Bumped version to 1.0.1 release 2023-02-20 12:26:23 +01:00
Jan Böhmer
d3659858eb Updated dependencies 2023-02-20 00:57:00 +01:00
Jan Böhmer
b637f5c3dd Exempt label dialog PDF preview from darkmode blending 
It should show real colors, instead of the darkmode
 2023-02-20 00:26:56 +01:00
Jan Böhmer
05ab3c3b7b Fixed image display style for odd shaped (very small) images. 2023-02-20 00:24:12 +01:00
Jan Böhmer
f9d5a9a3b5 Fixed problem with failing foreign key constraints on preview pic (2/2) 2023-02-20 00:09:23 +01:00
Jan Böhmer
82aec6f1ee Fixed problem with failing foreign key constraints on preview pic (1/2) 2023-02-20 00:06:00 +01:00
Jan Böhmer
c39a9a4da7 Added checkbox in parts table header to quickly select/unselect all parts 2023-02-19 23:04:51 +01:00
Jan Böhmer
9d1cd0477a Fixed problems with non-unique prototype names when using nested collection type, which prevented to create nested entries with mulitple new sub entries. 
We now use a unique prototype name for every collection field. This fixes issue #219
 2023-02-19 22:39:26 +01:00
Jan Böhmer
1e998fccbb Put delete option on multiaction select in its own optgroups so it does not look like it belongs to the project optgroup 2023-02-19 21:58:55 +01:00
Jan Böhmer
2fcd48d4f2 Fixed error when cloning an label profile 
An attachment type with the same ID was retrieved from the DB, which was not cloneable for the form...
 2023-02-19 21:56:10 +01:00
Jan Böhmer
4e79bb120a Bumped version to 1.0.1-dev 2023-02-19 21:46:27 +01:00
Jan Böhmer
2d85734703 Use having clause for part amountSum filter constraint 
This fixes issue #218
 2023-02-19 21:45:38 +01:00
Jan Böhmer
ccb0ac63e1 Updated list of missing features in upgrade docs. 2023-02-16 01:22:40 +01:00
Jan Böhmer
e47b5090c7 Removed the double composer install command from assets artifact build action 2023-02-13 00:55:35 +01:00
Jan Böhmer
4f51b70540 Renamed assets artifact build action 2023-02-13 00:52:30 +01:00
Jan Böhmer
19af268efe Bumped version to 1.0.0 2023-02-13 00:51:38 +01:00
Jan Böhmer
a32d5625f2 Merge remote-tracking branch 'origin/l10n_master' 2023-02-13 00:50:12 +01:00
Jan Böhmer
da97a10033 Added action to build artifacts 2023-02-13 00:49:58 +01:00
Jan Böhmer
43137043cf New translations messages.en.xlf (English) 2023-02-13 00:39:07 +01:00
Jan Böhmer
67aa6dd7e4 Do not run actions on localization branches 
This often fails and causes a lot of email traffic...
 2023-02-13 00:34:13 +01:00
Jan Böhmer
c4757fcba7 Added link to demo and docker image to README header 2023-02-12 23:55:23 +01:00
Jan Böhmer
54292dacbd
Added screenshots to README.md 2023-02-12 23:52:38 +01:00
Jan Böhmer
5ba37d88f4 Croped one of the screenshot 2023-02-12 23:51:53 +01:00
Jan Böhmer
5905b51025 Added some screenshots for README.md 2023-02-12 23:48:05 +01:00
Jan Böhmer
db1ee28244 Updated yarn dependencies. 2023-02-12 23:40:36 +01:00
Jan Böhmer
ee2ea6cd01 Merge remote-tracking branch 'origin/l10n_master' 2023-02-12 23:37:13 +01:00
Jan Böhmer
b8171f99ba Improved README and docs 2023-02-12 23:37:09 +01:00
Jan Böhmer
9b6fa2768f New translations messages.en.xlf (English) 2023-02-12 23:24:03 +01:00
Jan Böhmer
fe69e1a863 New translations messages.en.xlf (German) 2023-02-12 23:24:00 +01:00
Jan Böhmer
421f2682d6 Improved documentation 2023-02-12 23:23:38 +01:00
Jan Böhmer
d219851143 Only tag releases as docker latest 2023-02-12 21:47:24 +01:00
Jan Böhmer
cabd632f4a Merge remote-tracking branch 'origin/l10n_master' 2023-02-12 21:39:14 +01:00
Jan Böhmer
086147daa8 New translations messages.en.xlf (English) 2023-02-12 21:37:16 +01:00
Jan Böhmer
49a82f721d New translations messages.en.xlf (German) 2023-02-12 21:37:11 +01:00
Jan Böhmer
f80b114f1b New translations messages.en.xlf (German) 2023-02-12 21:04:04 +01:00
Jan Böhmer
ce3cecabaf Save project attachment files under "project/" instead of "device/" 2023-02-12 20:54:53 +01:00
Jan Böhmer
455acccc7e Use tagsinput for attachmenttype filetype filter to improve UX 2023-02-12 20:48:52 +01:00
Jan Böhmer
a165392a55 New translations messages.en.xlf (English) 2023-02-12 18:05:02 +01:00
Jan Böhmer
bfc3abd259 Fixed an javascript issue 2023-02-12 17:56:59 +01:00
Jan Böhmer
400cc44838 Properly destroy tomSelect on disconnect() 2023-02-12 17:53:10 +01:00
Jan Böhmer
f22d65cd24 Fixed behavior of datatables fixedHeader on subsequent ajax calls. 2023-02-12 17:46:09 +01:00
Jan Böhmer
c8bfe7f6d4 Localized more field names for edit log entry 2023-02-12 16:59:55 +01:00
Jan Böhmer
d7e7c9797f Fixed PHPstan issue 2023-02-12 14:06:32 +01:00
Jan Böhmer
1b8cc174c8 New translations messages.en.xlf (English) 2023-02-11 23:49:23 +01:00
Jan Böhmer
8ec70e93b4 New translations messages.en.xlf (Russian) 2023-02-11 23:49:21 +01:00