Merge pull request #462 from clowder-framework/releasse/v1.23.0

Release/v1.23.0

Author: lmarini

.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -51,12 +51,12 @@ jobs:
           distribution: 'zulu'
           java-version: 8
       - name: Cache SBT ivy cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.ivy2/cache
           key: ${{ runner.os }}-sbt-ivy-cache-${{ hashFiles('project/Build.scala') }}
       - name: Cache SBT
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.sbt
           key: ${{ runner.os }}-sbt-${{ hashFiles('project/Build.scala') }}
@@ -85,7 +85,7 @@ jobs:
         ports:
           - 27017:27017
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -130,7 +130,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -177,13 +177,13 @@ jobs:
           done
           rm ${ZIPFILE}
           zip -r ${ZIPFILE} ${DIR}
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: clowder.zip
           path: target/universal/clowder-*.zip
       - name: Upload files to a GitHub release
         if: github.event_name == 'release' && github.event.action == 'created'
-        uses: svenstaro/upload-release-action@1.1.0
+        uses: svenstaro/upload-release-action@v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           tag: ${{ github.ref }}
@@ -207,7 +207,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -237,18 +237,18 @@ jobs:
         with:
           path: ~/.sbt
           key: ${{ runner.os }}-sbt-${{ hashFiles('project/Build.scala') }}
-      - name: Set up Python 3.7
-        uses: actions/setup-python@v1
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.7
+          python-version: 3.11
       - name: sbt doc
         run: ./sbt doc
         env:
           BRANCH: ${{ env.GITHUB_BRANCH }}
           VERSION: ${{ env.CLOWDER_VERSION }}
           BUILDNUMBER: ${{ github.run_number }}
           GITSHA1: ${{ github.sha  }}
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: ScalaDoc
           path: target/scala-*/api/
@@ -266,7 +266,7 @@ jobs:
           cd doc/src/sphinx/
           python -m pip install -r requirements.txt
           make html epub
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: HTML Documentation
           path: doc/src/sphinx/_build/html
@@ -279,13 +279,13 @@ jobs:
           key: ${{ secrets.SCP_KEY }}
           files: "doc/src/sphinx/_build/html/*"
           target: "CATS/${{ env.CLOWDER_VERSION }}/documentation/sphinx"
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: EPUB Documentation
           path: doc/src/sphinx/_build/epub/Clowder.epub
       - name: Upload files to a GitHub release
         if: github.event_name == 'release' && github.event.action == 'created'
-        uses: svenstaro/upload-release-action@1.1.0
+        uses: svenstaro/upload-release-action@v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           tag: ${{ github.ref }}

.github/workflows/docker.yml

@@ -23,7 +23,7 @@ on:
 
 # Certain actions will only run when this is the main repo.
 env:
-  main_REPO: clowder-framework/clowder
+  MAIN_REPO: clowder-framework/clowder
   DOCKERHUB_ORG: clowder
 
 jobs:
@@ -64,7 +64,7 @@ jobs:
             PLATFORM: "linux/amd64"
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       # calculate some variables that are used later
       - name: variable setup
@@ -115,11 +115,11 @@ jobs:
 
       # setup docker build
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Inspect Builder
         run: |
@@ -132,13 +132,13 @@ jobs:
       # login to registries
       - name: Login to DockerHub
         if: env.dockerhub != ''
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -147,7 +147,7 @@ jobs:
       # build the clowder docker images
       - name: Build and push ${{ matrix.IMAGE }}-build
         if: matrix.IMAGE == 'clowder'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           push: true
           context: ${{ matrix.FOLDER }}
@@ -164,7 +164,7 @@ jobs:
 
       - name: Build and push ${{ matrix.IMAGE }}-runtime
         if: matrix.IMAGE == 'clowder'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           push: true
           context: ${{ matrix.FOLDER }}
@@ -182,7 +182,7 @@ jobs:
       # build the other docker images
       - name: Build and push ${{ matrix.IMAGE }}
         if: matrix.IMAGE != 'clowder'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
         with:
           push: true
           context: ${{ matrix.FOLDER }}
@@ -198,10 +198,10 @@ jobs:
 
       # update README at DockerHub
       - name: Docker Hub Description
-        if: env.dockerhub != '' && matrix.README != '' && github.event_name == 'push' && github.repository == env.main_REPO && env.BRANCH == 'main'
-        uses: peter-evans/dockerhub-description@v2
-        env:
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
-          DOCKERHUB_REPOSITORY: ${{ env.DOCKERHUB_ORG }}/${{ matrix.IMAGE }}
-          README_FILEPATH: ${{ matrix.README }}
+        if: env.dockerhub != '' && matrix.README != '' && github.event_name == 'push' && github.repository == env.MAIN_REPO && env.BRANCH == 'main'
+        uses: peter-evans/dockerhub-description@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          repository: ${{ env.DOCKERHUB_ORG }}/${{ matrix.IMAGE }}
+          readme-filepath	: ${{ matrix.README }}

.github/workflows/swagger.yml

@@ -20,7 +20,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: openapi-lint 
         uses: mbowman100/swagger-validator-action@master

CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## 1.23.0 - 2025-07-31
+
+### Fixed
+- Fixed XSS in space creation by escaping name and description field. 
+- Fixed `NoSuchElementException` in spaces listing page when user is not defined. The error occurred when calling
+  `user.get.id` on an undefined user in the spaces ownership dropdown. Added proper user existence checks in 
+  `listSpaces.scala.html` and `miniList.scala.html` templates.
+- Removed refrences to repo.typesafe.com from sbt-launch.jar and build.scala
+- Removed iRods integration and dependencies. The iRods file storage service and plugin have been completely removed
+  from the codebase. Users who were using iRods for file storage will need to configure an alternative storage 
+  backend (filesystem, MongoDB GridFS, or AWS S3).
+
 ## 1.22.1 - 2023-11-10
 
 ### Fixed

Dockerfile

@@ -1,7 +1,7 @@
 # ----------------------------------------------------------------------
 # BUILD CLOWDER DIST
 # ----------------------------------------------------------------------
-FROM openjdk:8-jdk-bullseye as clowder-build
+FROM openjdk:8-jdk-bullseye AS clowder-build
 
 ARG BRANCH="unknown"
 ARG VERSION="unknown"
@@ -40,7 +40,7 @@ RUN rm -rf target/universal/clowder-*.zip clowder clowder-* \
 # ----------------------------------------------------------------------
 # BUILD CLOWDER
 # ----------------------------------------------------------------------
-FROM openjdk:8-jre-bullseye as clowder-runtime
+FROM openjdk:8-jre-bullseye AS clowder-runtime
 
 # environemnt variables
 ARG BRANCH="unknown"

app/controllers/Spaces.scala

@@ -7,6 +7,7 @@ import org.joda.time.DateTime
 import play.api.data.Forms._
 import play.api.data.{Form, Forms}
 import play.api.i18n.Messages
+import play.api.templates.HtmlFormat
 import play.api.{Logger, Play}
 import securesocial.core.providers.{Token, UsernamePasswordProvider}
 import services._
@@ -411,7 +412,7 @@ class Spaces @Inject() (spaces: SpaceService, users: UserService, events: EventS
                   formData => {
                     if (Permission.checkPermission(user, Permission.CreateSpace)) {
                       Logger.debug("Creating space " + formData.name)
-                      val newSpace = ProjectSpace(name = formData.name, description = formData.description,
+                      val newSpace = ProjectSpace(name = HtmlFormat.escape(formData.name).toString(), description = HtmlFormat.escape(formData.description).toString(),
                         created = new Date, creator = userId, homePage = formData.homePage,
                         logoURL = formData.logoURL, bannerURL = formData.bannerURL,
                         collectionCount = 0, datasetCount = 0, fileCount = 0, userCount = 0, spaceBytes = 0, metadata = List.empty,