Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump pyopenssl from 17.5.0 to 24.2.1 in /backend #4265

Closed
wants to merge 9 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/dependabot.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily

- package-ecosystem: pip
directory: /backend
schedule:
interval: daily

- package-ecosystem: pip
directory: backend/requirements
schedule:
interval: "monthly"
labels: [ ]
ignore:
- dependency-name: "*"

- package-ecosystem: npm
directory: /client
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker
schedule:
interval: daily

- package-ecosystem: pip
directory: /documentation
schedule:
interval: daily
5 changes: 4 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,15 @@ name: Build

on: [ push, pull_request ]

# Declare default permissions as read only.
permissions: read-all

jobs:
run_build:
runs-on: "ubuntu-latest"
steps:
- name: Check out repository code
uses: actions/[email protected]
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/codacy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ on:
schedule:
- cron: '33 6 * * 2'

permissions:
contents: read
# Declare default permissions as read only.
permissions: read-all

jobs:
codacy-security-scan:
Expand All @@ -36,7 +36,7 @@ jobs:
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1

# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
- name: Run Codacy Analysis CLI
Expand All @@ -56,6 +56,6 @@ jobs:

# Upload the SARIF file generated in the previous step
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
with:
sarif_file: results.sarif
5 changes: 4 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ name: Test

on: [ push, pull_request ]

# Declare default permissions as read only.
permissions: read-all

env:
CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}

Expand All @@ -10,7 +13,7 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- name: Check out repository code
uses: actions/[email protected]
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,11 @@ The software is recognized by the [Digital Public Good Alliance](https://digital
Project best practices and scores:
| Metric | Score
| :---: | :---: |
| [OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/) | [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3816/badge)](https://bestpractices.coreinfrastructure.org/projects/3816)
| [OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ossf/scorecard/badge)](https://scorecard.dev/viewer/?uri=github.com/globaleaks/globaleaks-whistleblowing-software)
| [MDN HTTP Observatory](https://developer.mozilla.org/en-US/observatory/analyze?host=try.globaleaks.org) | ![Status](https://img.shields.io/badge/observatory-A%2B-brightgreen)
| [Security Headers](https://securityheaders.com/?q=https%3A%2F%2Ftry.globaleaks.org%2F) | ![Status](https://img.shields.io/badge/security%20headers-A%2B-brightgreen)
| [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html?d=try.globaleaks.org) | [![Status](https://img.shields.io/static/v1?label=SSLLabs&message=A%2B&color=%3CCOLOR%3E)](https://www.ssllabs.com/ssltest/analyze.html?d=try.globaleaks.org&latest)
| [CII Best Practices](https://bestpractices.coreinfrastructure.org/) | [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3816/badge)](https://bestpractices.coreinfrastructure.org/projects/3816)

Project statistics on OpenHub: [www.openhub.net/p/globaleaks](https://www.openhub.net/p/globaleaks)

Expand Down
2 changes: 1 addition & 1 deletion backend/requirements/requirements-bionic.txt
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ cryptography==2.6.1
h2==3.0.1
idna==2.6
priority==1.3.0
pyopenSSL==17.5.0
pyopenSSL==24.2.1
pynacl==1.2
pyotp==2.2.6
python_gnupg==0.4.1
Expand Down
2 changes: 1 addition & 1 deletion backend/requirements/requirements-bookworm.txt
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ cryptography==38.0.4
h2==4.1.0
idna==3.3
priority==2.0.0
pyopenSSL==23.0.0
pyopenSSL==24.2.1
pynacl==1.5.0
pyotp==2.6.0
python_gnupg==0.4.9
Expand Down
2 changes: 1 addition & 1 deletion backend/requirements/requirements-bullseye.txt
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ cryptography==3.3.2
h2==4.0.0
idna==2.10
priority==1.3.0
pyopenSSL==20.0.1
pyopenSSL==24.2.1
pynacl==1.4.0
pyotp==2.3.0
python_gnupg==0.4.6
Expand Down
2 changes: 1 addition & 1 deletion backend/requirements/requirements-buster.txt
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ cryptography==2.6.1
h2==3.0.1
idna==2.6
priority==1.3.0
pyopenSSL==19.0.0
pyopenSSL==24.2.1
pynacl==1.3.0
pyotp==2.2.7
python_gnupg==0.4.4
Expand Down
2 changes: 1 addition & 1 deletion backend/requirements/requirements-focal.txt
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ cryptography==2.8
h2==3.1.1
idna==2.8
priority==1.3.0
pyopenSSL==19.0.0
pyopenSSL==24.2.1
pynacl==1.3.0
pyotp==2.3.0
python_gnupg==0.4.5
Expand Down
2 changes: 1 addition & 1 deletion backend/requirements/requirements-jammy.txt
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ cryptography==3.4.8
h2==4.1.0
idna==2.10
priority==1.3.0
pyopenSSL==21.0.0
pyopenSSL==24.2.1
pynacl==1.5.0
pyotp==2.3.0
python_gnupg==0.4.8
Expand Down
2 changes: 1 addition & 1 deletion backend/requirements/requirements-noble.txt
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ fpdf2==2.7.8
h2==4.1.0
idna==3.6
priority==2.0.0
pyopenSSL==23.2.0
pyopenSSL==24.2.1
pynacl==1.5.0
pyotp==2.9.0
python_gnupg==0.5.2
Expand Down
5 changes: 3 additions & 2 deletions client/app/src/app-guard.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,18 @@ import {Router, UrlTree} from "@angular/router";
import {Observable} from "rxjs";
import {AuthenticationService} from "@app/services/helper/authentication.service";
import {AppDataService} from "@app/app-data.service";
import {UtilsService} from "@app/shared/services/utils.service";

@Injectable({
providedIn: "root"
})
export class SessionGuard {
constructor(private router: Router, private appDataService: AppDataService, public authenticationService: AuthenticationService) {
constructor(private router: Router, private appDataService: AppDataService, public authenticationService: AuthenticationService, protected utilsService: UtilsService) {
}

canActivate(): Observable<boolean | UrlTree> | Promise<boolean | UrlTree> | boolean | UrlTree {
if (!this.authenticationService.session) {
this.router.navigateByUrl("/login").then();
this.utilsService.routeGuardRedirect();
return false;
} else {
this.appDataService.page = this.router.url;
Expand Down
4 changes: 1 addition & 3 deletions client/app/src/models/authentication/session.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
import {redirectResolverModel} from "../resolvers/redirect-resolver-model";

export class Session {
redirect: redirectResolverModel;
id: string;
role: string;
encryption: boolean;
Expand All @@ -13,6 +10,7 @@ export class Session {
two_factor: boolean;
permissions: { can_upload_files: boolean };
token: any;
redirect: string;
}

export interface Properties {
Expand Down
67 changes: 37 additions & 30 deletions client/app/src/services/helper/authentication.service.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import {Injectable} from "@angular/core";
import {Injectable, SecurityContext} from "@angular/core";
import {LoginDataRef} from "@app/pages/auth/login/model/login-model";
import {HttpService} from "@app/shared/services/http.service";
import {Observable} from "rxjs";
Expand All @@ -10,6 +10,8 @@ import {TitleService} from "@app/shared/services/title.service";
import {HttpClient, HttpErrorResponse, HttpHeaders} from "@angular/common/http";
import {NgbModal} from "@ng-bootstrap/ng-bootstrap";
import {OtkcAccessComponent} from "@app/shared/modals/otkc-access/otkc-access.component";
import {DomSanitizer} from '@angular/platform-browser';


@Injectable({
providedIn: "root"
Expand All @@ -21,7 +23,7 @@ export class AuthenticationService {
requireAuthCode: boolean = false;
loginData: LoginDataRef = new LoginDataRef();

constructor(private http: HttpClient, private modalService: NgbModal,private titleService: TitleService, private activatedRoute: ActivatedRoute, private httpService: HttpService, private appDataService: AppDataService, private router: Router) {
constructor(private http: HttpClient, private modalService: NgbModal,private titleService: TitleService, private activatedRoute: ActivatedRoute, private httpService: HttpService, private appDataService: AppDataService, private router: Router, private sanitizer: DomSanitizer) {
this.init();
}

Expand Down Expand Up @@ -101,9 +103,11 @@ export class AuthenticationService {
requestObservable.subscribe(
{
next: (response: Session) => {
this.reset()
if (response.redirect) {
this.router.navigate([response.redirect]).then();
response.redirect = this.sanitizer.sanitize(SecurityContext.URL, response.redirect) || '';
if (response.redirect) {
this.router.navigate([response.redirect]).then();
}
}
this.setSession(response);
if (response && response && response.properties && response.properties.new_receipt) {
Expand All @@ -126,36 +130,39 @@ export class AuthenticationService {
};
return;
}
const src = this.activatedRoute.snapshot.queryParams['src'];
if (src) {
this.router.navigate([src]).then();
location.replace(src);

if (this.session.role === "whistleblower") {
if (password) {
this.appDataService.receipt = password;
this.titleService.setPage("tippage");
} else if (this.session.properties.operator_session) {
this.router.navigate(['/']);
}
} else {
if (this.session.role === "whistleblower") {
if (password) {
this.appDataService.receipt = password;
this.titleService.setPage("tippage");
} else if (this.session.properties.operator_session) {
this.router.navigate(['/']);
}
} else {
if (!callback) {
let redirect = this.activatedRoute.snapshot.queryParams['redirect'] || undefined;
this.reset();
redirect = this.activatedRoute.snapshot.queryParams['redirect'] || '/';
const redirectURL = decodeURIComponent(redirect);
if (redirectURL !== "/") {
this.router.navigate([redirectURL]);
} else {
this.appDataService.updateShowLoadingPanel(true);
this.router.navigate([this.session.homepage], {
queryParams: this.activatedRoute.snapshot.queryParams,
queryParamsHandling: "merge"
}).then();
}
if (!callback) {
this.reset();

let redirect = this.activatedRoute.snapshot.queryParams['redirect'] || undefined;
redirect = this.activatedRoute.snapshot.queryParams['redirect'] || '/';
redirect = decodeURIComponent(redirect);

if (redirect !== "/") {
redirect = this.sanitizer.sanitize(SecurityContext.URL, redirect) || '';

// Honor only local redirects
if (redirect.startsWith("/")) {
this.router.navigate([redirect]);
}
} else {
this.appDataService.updateShowLoadingPanel(true);
this.router.navigate([this.session.homepage], {
queryParams: this.activatedRoute.snapshot.queryParams,
queryParamsHandling: "merge"
}).then();
}
}
}

if (callback) {
callback();
}
Expand Down
2 changes: 1 addition & 1 deletion client/app/src/shared/guards/receiver.guard.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ export class ReceiverGuard {
if (this.authenticationService.session) {
if(this.authenticationService.session.role === "receiver"){
this.appConfigService.setPage(this.router.url);
}else {
} else {
this.router.navigateByUrl("/login").then();
}
return true;
Expand Down
6 changes: 4 additions & 2 deletions client/app/src/shared/pipes/strip-html.pipe.ts
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
import {Pipe, PipeTransform} from "@angular/core";
import * as DOMPurify from 'dompurify';

@Pipe({
name: "stripHtml"
})
export class StripHtmlPipe implements PipeTransform {

transform(value: string): string {
return value.replace(/<[^>]*>?/gm, "");
// Use DOMPurify to sanitize input
return (DOMPurify as any).default.sanitize(value);
}
}
}
2 changes: 2 additions & 0 deletions client/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
"@ngx-translate/core": "15.0.0",
"@ngx-translate/http-loader": "8.0.0",
"@types/angular": "1.8.9",
"@types/dompurify": "3.0.5",
"@types/flowjs__flow.js": "2.13.3",
"@types/lodash-es": "4.17.12",
"@types/marked": "6.0.0",
Expand All @@ -54,6 +55,7 @@
"angularx-qrcode": "18.0.2",
"bootstrap": "5.3.3",
"chart.js": "4.4.4",
"dompurify": "3.1.7",
"lodash-es": "4.17.21",
"ng-multiselect-dropdown": "1.0.0",
"ng2-charts": "6.0.1",
Expand Down
2 changes: 1 addition & 1 deletion docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM debian:stable-slim
FROM debian:bookworm-slim@sha256:36e591f228bb9b99348f584e83f16e012c33ba5cad44ef5981a1d7c0a93eca22

RUN apt-get update -q && \
apt-get dist-upgrade -y && \
Expand Down
Loading