merge into master from develop #3200
Conversation
- Fixed create Data Source in new UI; - Fixed update Meta Data Point in new UI;
- Fixed Legend report;
- revert Legend report;
- Fixed Legend report;
…_name_in_legend_report_for_escape_characters #3049 Fixed visible point name in legend report for escape characters:
#3050 XSS in Reports names
- Fixed EventList.vue;
…rected Common.java;
…event_XSS_for_REST_API_by_escape_String_content2 # Conflicts: # src/com/serotonin/mango/vo/report/SeriesIdentifier.java
- Using class XssProtectUtils (use Spring) instead of Security class from dwr; _ Rename classes: XssProtectHtmlUtils to XssProtectUtils, XssUtils to XssValidatorUtils; - Changed private on public no args constructor for class XssProtectUtils; - Added Data Point information to console log in ScriptExecutor.convertContext;
- Created css class formLongFieldSizing; - Added attribute title and css class formLongFieldSizing in pointProperties.jsp for name fields; - Set width 60%/40% in dataPointEdit.jsp; - Use c:out in pointProperties.jsp for name and description fields;
- Set max-width is 650px
- Fixed XSS Event List on new UI;
- Removed unuse import in PointProperties\index.vue; - Added @XssProtect annotation to fields deviceName, datasourceName, dataSourceXid in DataPointJson, to fields oid, binary0Value in SnmpPointLocatorJson, to fields updateCronPattern in MetaPointLocatorJson, to fields charset in ModbusIpPointLocatorJson;
- Reload the page;
…T_API_by_escape_String_content2 #2985 Prevent XSS for REST API by escape String content:
…oint_properties_page_has_a_limited_visible_length #3036 point name in point properties page has a limited visible length
- removed deprecated methods: DataPointService.save(User user, String value, String xid, int pointValueType); setPoint(User user, DataPointVO point, String valueStr) saveAPI(User user, String value, String xid) - moved TestUtils to utils package;
- Refactoring ValidationUtils.isCyclicDependency
…n_Cyclic_dependency_for_Meta_Data_Point #3055 Added validation Cyclic dependency for Meta Data Point:
…ces list view Added details for BACnet data points in description field on data source list view
fix/#3061_Fixed_missing_column_typeId_for_event_handlers
Added option to set modbus data point slave id to range from 0 to 255 instead of range from 1 to 255
Changed selector in data point edit view as well as in point links view and publisher edit view
…_of_list_of_points_in_BacNet_source_in_data_sources_list_view #3058 Improve content of list of points in BacNet source in data sources list view
- Corrected scadalts.security.js.access;
- upgrade gradle version to 8.14.3
- corrected command
- Added setup gradle
- set cache gradle
- added install java 17
- added install java 17
- wrapper --gradle-version=8.14.3
- update setup-java to v4
- cache: 'gradle'
- use gradle/actions/setup-gradle with gradle-version: '8.14.3'
- use gradle/actions/setup-gradle with gradle-version: '8.14.3' in: build.yml, master.yml
- update setup-java to v4
…rsion_in_Github_Action #3182 Force Gradle version in Github Action:
- Hide users for ImportTask, hide password toString; - Corrected UserService.populateUserPermissions - when assigning permissions, the permissions set in the user and in the profile are taken into account, so it does not change the behavior of this mechanism; - Corrected encoding: editAsciiFile.jsp, editNodaveS7.jsp; - Change logging level form info to warn in SetUnreliableDataPointsAction.call; - Used tag spring:message in eventList.jsp, img.tag; - Removed gradle-wrapper.properties, corrected gradle.properties; - Corrected SendUtils.java; - Corrected validation activeValueToSet, inactiveValueToSet in EventHandlerVO.validate; - Corrected get watchlists with access in WatchListController;
- Set ERROR for recursiveLoggingLevel;
- Corrected configuration Gradle; (using the wrapper according to the recommendations of the gradle creators) - Corrected BACnetIPDataSourceRT in subscription mode;
- No sorted points on watchlist; (depending on user order config)
Release/2.8.0
Java Script Mocha Unit Test Results268 tests 268 ✅ 3s ⏱️ Results for commit 1cfaed4. |
Java JUnit Test Results3 220 tests 3 220 ✅ 51s ⏱️ Results for commit 1cfaed4. |
|
Semgrep found 1 Risk: Affected versions of @babel/traverse, babel-traverse, @babel/plugin-transform-runtime, @babel/preset-env, @babel/helper-define-polyfill-provider, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-corejs3, babel-plugin-polyfill-es-shims, and babel-plugin-polyfill-regenerator are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods Manual Review Advice: A vulnerability from this advisory is reachable if you use Babel to compile untrusted JavaScript Fix: Upgrade this library to at least version 7.23.2 at Scada-LTS/scadalts-ui/package-lock.json:1253. Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133 |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: semgrep/ci | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | ||
| container: | ||
| image: returntocorp/semgrep | ||
| if: (github.actor != 'dependabot[bot]') | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - run: semgrep ci |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this problem, the best practice is to explicitly define a minimal set of permissions for the job, restricting the GITHUB_TOKEN to only those access types required for the workflow's actions. In this case, setting permissions: contents: read at the job (semgrep) or workflow root ensures that the token can only read repository contents and does not have unnecessary write access.
- Insert a
permissions:block withcontents: readat the same indentation asruns-on:and other job properties (underjobs.semgrep). - No other imports, methods, or definitions required.
| @@ -15,6 +15,8 @@ | ||
| jobs: | ||
| semgrep: | ||
| name: semgrep/ci | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} |
No description provided.