groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-01-27 12:39:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
2212 commits 18 branches 75 tags 116 MiB
Commit graph

548 commits

Author SHA1 Message Date
Sascha Lenk
3becdd976d
vulnerability Path-relative stylesheet import (PRSSI) fix 
Threat
Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to pathrelative
stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.

Impact
An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including
cross-site scripting (XSS) and exfiltration of CSRF tokens.

Solution
It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target
location for all the relative URLs.
The vulnerability can also be mitigated by using the following best practices to harden the web pages:
• Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
• Set response header X-Frame-Options: deny
• Set response header X-Content-Type-Options: nosniff.

-----------
To me the easiest way to fix this, was adding the base URL. :)
 2023-02-25 23:56:59 +01:00
Sascha Lenk
dc906bfb0f
vulnerability XSS fix 
The "trans with" command is not automatically escaping the string, so this is a XSS (Cross-Site Scripting) vulnerability.
Tested string: https://URL-TO-PART-DB-SERVER/de/parts/search?keyword=%22'%3E%3Cqss%20a%3D X147208852Y1_1Z%3E

QUALYS Enterprise WAS Scan Report classifies this as level 5 security risk
 2023-02-25 22:42:03 +01:00
Jan Böhmer
05ab3c3b7b Fixed image display style for odd shaped (very small) images. 2023-02-20 00:24:12 +01:00
Jan Böhmer
9d1cd0477a Fixed problems with non-unique prototype names when using nested collection type, which prevented to create nested entries with mulitple new sub entries. 
We now use a unique prototype name for every collection field. This fixes issue #219
 2023-02-19 22:39:26 +01:00
Jan Böhmer
1e998fccbb Put delete option on multiaction select in its own optgroups so it does not look like it belongs to the project optgroup 2023-02-19 21:58:55 +01:00
Jan Böhmer
5f6671a5aa Link to docs.part-db.de 2023-02-09 00:14:36 +01:00
Jan Böhmer
8f646e7e7b Fixed toast position on large screens 2023-02-06 22:47:41 +01:00
Jan Böhmer
39765f05dd Improved styling of part multiselect action 2023-02-06 00:33:57 +01:00
Jan Böhmer
7ff1584eb9 Fixed multi-part action selectors. 2023-02-06 00:08:32 +01:00
Jan Böhmer
b8da4c62d0 Show first steps on homepage when no parts were created yet. 2023-02-05 21:37:48 +01:00
Jan Böhmer
8447b8b42a Removed links to old author pages (which do not work anymore) 2023-02-05 21:12:44 +01:00
Jan Böhmer
c088742dda Added possibility to save parts and create an empty one 2023-02-05 21:00:26 +01:00
Jan Böhmer
13de2afc28 Improved styling of the parts info page 2023-02-05 20:50:19 +01:00
Jan Böhmer
5ea791eac7 Improved styling of image in structural entity select 2023-02-05 20:23:52 +01:00
Jan Böhmer
08b60cd149 Restrict small user avatar picture size to square 2023-02-05 20:06:53 +01:00
Jan Böhmer
a925597565 Show entity preview image on admin page 2023-02-05 20:00:11 +01:00
Jan Böhmer
3546385ed2 Moved favicon.ico to web root folder, as this is the location where a browser expects it 
This prevents that the browser calls the PHP router to search for the (non-existing) favicon.icon
 2023-02-05 00:18:07 +01:00
Jan Böhmer
a128f40358 Renamed AdminPages/ templates folder to recommended snake_case style 2023-02-04 23:34:39 +01:00
Jan Böhmer
1559b669df Renamed form/ templates folder to recommended snake_case style 2023-02-04 23:21:36 +01:00
Jan Böhmer
12d4c2f4d9 Renamed label_system templates folder to recommended snake_style style 2023-02-04 23:15:11 +01:00
Jan Böhmer
06f86176b6 Renamed log_system template folder to recommended snake_case style 2023-02-04 23:09:36 +01:00
Jan Böhmer
9097220026 Renamed parts/ templates folder to recommended snake_case style 2023-02-04 23:05:39 +01:00
Jan Böhmer
e8efe81f79 Renamed projects/ template folder to recommended camel_case style 2023-02-04 23:03:32 +01:00
Jan Böhmer
5696f32a04 Renamed security template folder to recommended snake_case style 2023-02-04 22:59:43 +01:00
Jan Böhmer
dd5691f199 Renamed tools templates to the recommended snake_case style 2023-02-04 22:55:16 +01:00
Jan Böhmer
29e46d5d05 Renamed users templates folder to recommended snake_case 2023-02-04 22:49:28 +01:00
Jan Böhmer
d804184073 Fixed exception when mass creation of non structural entities failed. 2023-02-03 23:27:49 +01:00
Jan Böhmer
3a9a6bbe76 Fixed styling of mass import hint on admin pages 2023-02-03 23:20:48 +01:00
Jan Böhmer
2e18065d5a Replaced all occurances of bootstrap-select with tomSelect 
All choice fields should now use tomselect by default to improve user UX
 2023-02-02 00:36:42 +01:00
Jan Böhmer
4a8480edce Correctly render the Google Auth QRCode in darkmode 2023-02-01 23:17:03 +01:00
Jan Böhmer
08c97282a3 Allow to configure which themes should be available via parameters.yaml 2023-02-01 23:15:02 +01:00
Jan Böhmer
489b3e2c21 Use webpack entrypoints for bootstrap and bootswatch themes 
This allows us to utilize the webpack versioning mechanism, to avoid display issues, when upgrading bootstrap
 2023-02-01 22:58:39 +01:00
Jan Böhmer
672d55624f Fixed CurrencyEntityType 2023-01-29 19:27:51 +01:00
Jan Böhmer
8d5427a1c3 Use tomselect for StructuralEntityType 2023-01-29 18:52:24 +01:00
Jan Böhmer
f085402cba Show server time in system info page 
This is useful for debugging issues with 2FA or wrong timestamps.
 2023-01-29 13:09:54 +01:00
Jan Böhmer
07f95bc6ea Added possibility to create nested structures of elements using Mass Import 2023-01-28 23:24:45 +01:00
Jan Böhmer
22950f2476 Validate that a parts name fullfills the regular expression set in a category 2023-01-28 21:36:19 +01:00
Jan Böhmer
58105575d3 Show part name hint in edit page and default description and comment settings of a category now properly works 
This fixes issue #196
 2023-01-28 21:07:01 +01:00
Jan Böhmer
5e2209eb57 Removed references to mikrocontroller.net forum on homepage, as we use github in english now. 2023-01-28 19:26:21 +01:00
Jan Böhmer
04c6d582f2 Make small user pictures hoverable to show larger version of profile picture. 2023-01-25 00:16:10 +01:00
Jan Böhmer
0063d360ce Allow a user to change and remove his profile picture from user settings. 2023-01-25 00:10:17 +01:00
Jan Böhmer
daba6edf5d Allow to edit user avatar via user admin page. 2023-01-23 23:58:11 +01:00
Jan Böhmer
97b87dee5f Show user avatar next to its name, in all possible locations 2023-01-23 23:01:57 +01:00
Jan Böhmer
36323716c8 Improved builds tab on project info page 2023-01-22 23:47:14 +01:00
Jan Böhmer
2f42eb7cff Allow to directly add build as stock to the associated builds part. 2023-01-22 23:27:45 +01:00
Jan Böhmer
015c71cbd2 Fixed exceptions on build page, when BOM contained non-part entries. 2023-01-22 17:37:01 +01:00
Jan Böhmer
bc9ed770ad Improved frontend of build page 2023-01-22 17:34:10 +01:00
Jan Böhmer
616533ea4a Withdraw selected part lots, when building 2023-01-22 16:59:58 +01:00
Jan Böhmer
31a20d0692 Validate ProjectBuildRequest 2023-01-22 14:13:56 +01:00
Jan Böhmer
83d734747a Added a basic form to perform builds. 
Logic does not work yet.
 2023-01-22 00:01:16 +01:00