Fixes and Updates to 1.50.4 (#56)

CHANGELOG.md

@@ -1,5 +1,13 @@
 # VINCE Changelog
 
+Version 1.50.4: 2022-10-05
+==========================
+
+UI improvements for vincetrack for search experience
+Performance tweaks for Tickets search use $queryset.count() instead len($queryset) when pagination is used
+Fix HTML injection vulnerabilities reported by Rapid7 researcher Nick Sanzotta (CVE-2022-40248,CVE-2022-40257)
+
+
 Version 1.50.3: 2022-09-16
 ==========================
 

vince/static/vince/js/search.js

@@ -55,24 +55,59 @@ function nextTickets(page) {
     });
 
 }
+function lockunlock(f) {
+    if(f) {
+	/* Show search is in progress */
+	$('div.vtmainbody').css({opacity:0.5});
+	if($('#searchresults > .loading').length != 1)
+	    $('#searchresults').prepend($('#hiddenloading').html());
+    } else {
+	/* Back to normal */
+	$('div.vtmainbody').css({opacity:1});
+	$('#searchresults > #loadingbanner').remove();
+    }
+}
+
 function searchTickets(e) {
     if (e) {
 	e.preventDefault();
     }
     $("#id_page").val("1");
     var url = "/vince/ticket/results/";
-    $.ajax({
+    lockunlock(true);
+    window.txhr = $.ajax({
 	url: url,
 	type: "POST",
 	data: $('#searchform').serialize(),
 	success: function(data) {
+	    lockunlock(false);
 	    $("#searchresults").html(data);
+	},
+	error: function() {
+	    lockunlock(false);	    
+	    console.log(arguments);
+	    alert("Search failed or canceled! See console log for details.");
+	},
+	complete: function() {
+	    /* Just safety net */
+	    lockunlock(false);	    
+	    delete window.txhr;
 	}
     });
 }
 
 $(document).ready(function() {
 
+    $(document).keyup(function(e) {
+	if (e.key === "Escape") { 
+	    if('txhr' in window && 'abort' in window.txhr) {
+		console.log("Aborting search because user hit Escape");
+		window.txhr.abort();
+		delete window.txhr;
+	    }
+	}
+    });
+
     $(document).on("click", '.search_page', function(event) {
 	var page = $(this).attr('next');
 	nextPage(page);

vince/static/vince/js/vincefoundation.js

@@ -30,3 +30,36 @@
 
 $(document).foundation();
 
+$(function() {
+    $('.dateprinted').on('click',function(event) {
+	event.preventDefault();
+	let mdate = new Date();
+	let unit = $(this);
+	let formats = ["defaultISO","toLocaleString","toString"]
+	let format = unit.attr("format");
+	if(!format) {
+	    try {
+		mdate = new Date(Date.parse(unit.html()));
+	    } catch(error) {
+		console.log("Error parsing date field "+String(error));
+		return;
+	    }
+	    unit.attr(formats[0],unit.html());	    
+	    for(let i=1; i < formats.length; i++) {
+		unit.attr(formats[i],mdate[formats[i]]());
+	    }
+	    unit.html(unit.attr(formats[1]));
+	    unit.attr("format",formats[1]);
+	    return;
+	} 
+	let findex = formats.findIndex(function(u) { return u == format});
+	findex = (findex + 1) %3;
+	if(unit.attr(formats[findex])) {
+	    unit.html(unit.attr(formats[findex]));
+	    unit.attr("format",formats[findex]);
+	}
+
+    });
+
+
+});

vince/templates/vince/base_public.html

@@ -24,6 +24,7 @@
     {#<link rel="stylesheet" type="text/css" href="{% static 'vince/css/dropzone.css' %}" />#}
     <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet">
     <link rel="stylesheet" type="text/css" href="{% static 'vince/css/fontawesome/all.css' %}" />
+
     <link rel="stylesheet" type="text/css" href="{% static 'vince/css/taggle.css' %}">
     <link rel="shortcut icon" href="{% static 'vince/images/favicon.ico' %}" type="image/x-icon" />
 
@@ -40,6 +41,9 @@
   </head>
 
   <body id="top-body">
+    <div id="hiddenloading" style="display:none">
+      <p id="loadingbanner" class="loading text-center"><span>L</span><span>O</span><span>A</span><span>D</span><span>I</span><span>N</span><span>G</span></p>
+    </div>
     <div class="off-canvas-wrapper">
       <div class="off-canvas position-top" id="offCanvas" data-off-canvas>
         <div class="row column">

vince/templates/vince/case_summary.html

@@ -36,17 +36,17 @@
 	  <tr><th width="200">{% trans "Status" %}</th>
 	    <td>{% if case.lotus_notes %}{% else %}<a href="{% url 'vinny:vincase' case.id %}" target="_blank"><span class="label primary">VINCEComm</span></a>  {% endif %}{% if case.status == 1 %}<span class="label success">Active</span>{% else %}<span class="label info">Inactive</span>{% endif %}  <a href="{% url 'vince:updateconfirm' case.id %}" id="changestatus"><i class="fas fa-edit"></i></a></td>
 	  </tr>
-	  <tr><th>{% trans "Public" %}</th><td>{% if case.publicdate %}<span class="label success">Public</span>  {{ case.publicdate|date:"Y-m-d" }} {% if case.publicurl %}<a class="publicurl" href="{{case.publicurl}}" target="_blank"><i class="fas fa-external-link-alt"></i> {{ case.publicurl|smarter_urlize:50 }}</a>{% endif %}{% else %}<span class="label warning">Not Public</span>{% endif %}</td>
+	  <tr><th>{% trans "Public" %}</th><td>{% if case.publicdate %}<span class="label success">Public</span>  <span class="dateprinted" title="Click toggle formats">{{ case.publicdate|date:"Y-m-d H:i:sO" }}</span> {% if case.publicurl %}<a class="publicurl" href="{{case.publicurl}}" target="_blank"><i class="fas fa-external-link-alt"></i> {{ case.publicurl|smarter_urlize:50 }}</a>{% endif %}{% else %}<span class="label warning">Not Public</span>{% endif %}</td>
 	  </tr>
-	  <tr><th>{% trans "Date Created" %}</th><td> {{ case.created|date:"Y-m-d g:i:s A" }}</td>
+	  <tr><th>{% trans "Date Created" %}</th><td> <span class="dateprinted" title="Click toggle formats">{{ case.created|date:"Y-m-d H:i:sO" }}</span></td>
 	  </tr>
 	  <tr>
 	    <th>{% trans "Estimated Date Public" %}</th>
-	    <td>{{ case.due_date|date:"Y-m-d" }} ({{ case.due_date|naturaltime }})</td>
+	    <td><span class="dateprinted" title="Click toggle formats">{{ case.due_date|date:"Y-m-d H:i:sO" }}</span> ({{ case.due_date|naturaltime }})</td>
           </tr>
 	    {% if case.published %}
 	  <tr><th width="200">{% trans "Published" %}</th>
-	    <td><span class="label badge-tag-success">Published</span>  {{ vulnote.date_published|date:"Y-m-d" }}: <a href="{% url 'vincepub:vudetail' case.vuid %}" target="_blank" rel="noopener">View Vulnerability Note</a></td>
+	    <td><span class="label badge-tag-success">Published</span>  <span class="dateprinted" title="Click toggle formats">{{ vulnote.date_published|date:"Y-m-d H:i:sO" }}</span>: <a href="{% url 'vincepub:vudetail' case.vuid %}" target="_blank" rel="noopener">View Vulnerability Note</a></td>
 	  </tr>
 	  {% endif %}
 	  <tr><th>{% trans "Case Permissions" %}</th>
@@ -87,7 +87,7 @@
 
 	    </th>
 	    <td><ul>{% for r in reminders %}
-		<li><i>{{r.alert_date|date:"Y-m-d"}}</i> "{{ r }}" <small><b>for {{r.user.usersettings.preferred_username}}</b></small><a class="rmreminder" id="{{ r.id }}" action="{% url 'vince:rmreminder' %}">   <i class="fas fa-trash"></i></a></li>
+		<li><i><span class="dateprinted" title="Click toggle formats">{{r.alert_date|date:"Y-m-d H:i:sO"}}</span></i> "{{ r }}" <small><b>for {{r.user.usersettings.preferred_username}}</b></small><a class="rmreminder" id="{{ r.id }}" action="{% url 'vince:rmreminder' %}">   <i class="fas fa-trash"></i></a></li>
 	      {% empty %}
               <p>{% trans "This case has no reminders." %}</p>
               {% endfor %}</ul>
@@ -111,7 +111,7 @@
     <div class="tabs-panel" id="cr">
       <div class="crview">
 	<div class="callout alert">
-	  <p>This case was not created from a CR. If you would like to share details about a vulnerability in VinceComm please add a CR.</p>
+	  <p>This case was not created from a CR or a ticket. If you would like to share details about a vulnerability in VinceComm please add a CR.</p>
 	</div>
 	<a href="{% url 'vince:newcrcase' case.id %}"><button class="button secondary">Add a CR</button></a>
       </div>

vince/templates/vince/include/preview_inline.html

@@ -104,8 +104,12 @@ <h3 name="Cvss">CVSS Metrics</h3>
 	<div class="large-12 columns">
 	  <h3 name="References">References</h3>
 	  <ul>
-	  {% for ref in references %}
-	  <li><a href="{{ref}}" class="vulreflink" target="_blank" rel="noopener">{{ ref }}</a></li>
+	    {% for ref in references %}
+	    {% if ref|slice:":7" in "http://,https:/" %}
+            <li><a href="{{ref}}" class="vulreflink safereflink" target="_blank" rel="noopener">{{ ref }}</a></li>
+            {% else %}
+            <li>{{ref}}</li>
+            {% endif %}
           {% endfor %}
 	  </ul>
 	</div>
@@ -160,6 +164,7 @@ <h3 name="Other">Other Information</h3>
 	</div>
     </div>
   </div>
+  {% include "vincepub/detail_sidebar.html" %}
 </div>
 
 {% endblock %}

vince/templates/vince/searchresults.html

@@ -34,9 +34,9 @@
       <div class="row">
 	<div class="large-12 medium-12 small-12 columns">
           {% if total %}
-          <div class="resultCount"> Showing results {{ object_list.start_index }} - {{ object_list.end_index }} of {{ total }} Results </div>
+          <div class="resultCount"> Showing results {{ object_list.start_index }} - {{ object_list.end_index }} of <span id="resultTotal">{{ total }}</span> Results </div>
           {% elif paginator.count %}
-          <div class="resultCount"> {{ paginator.count }} Results </div>
+          <div class="resultCount"> <span id="resultTotal">{{ paginator.count }}</span> Results </div>
           {% endif %}
 	</div>
       </div>

vince/templates/vince/ticket_activity.html

@@ -23,7 +23,7 @@ <h3 class="section-title">{% trans "Activity" %}</h3>
 	    {% endautoescape %}
 	  </div>
 	  <div class="article-row-content">
-            <p class="article-row-content-description">{{ followup.title|email_to_user }} {% if followup.title in "Comment,Closed" and followup.user == user %} <small><a href="{% url 'vince:followup_edit' followup.id %}" class='followup-edit'><i class="fas fa-edit" title="Edit this comment"></i></a></small>{% elif "Email" in followup.title %}{% if followup.email_id %}<span class="email-detail" title="{{ followup.email_id }} in {{ followup.email_bucket }}"><i class="fas fa-envelope-open-text"></i></span>{% endif %}{% endif %}</p>
+            <p class="article-row-content-description trescaped">{{ followup.title|escape|email_to_user }} {% if followup.title in "Comment,Closed" and followup.user == user %} <small><a href="{% url 'vince:followup_edit' followup.id %}" class='followup-edit'><i class="fas fa-edit" title="Edit this comment"></i></a></small>{% elif "Email" in followup.title %}{% if followup.email_id %}<span class="email-detail" title="{{ followup.email_id }} in {{ followup.email_bucket }}"><i class="fas fa-envelope-open-text"></i></span>{% endif %}{% endif %}</p>
 	    <p class="article-row-content-detail">
 	      {% if followup.comment|is_json %}
 	      <div class="long_text_container">

vince/templates/vince/ticket_table.html

@@ -5,7 +5,7 @@
 
 <div class="row align">
   <div class="large-9 medium-8 small-12 columns">
-    <h3>{{ ticket.title|email_to_user }}</h3>
+    <h3>{{ ticket.title|escape|email_to_user }}</h3>
     <p>Submitted by
       {% if message %}
       <a href="{% url 'vince:vinny_redirect' %}?next={% url 'vinny:thread_detail' message.thread %}"> {{ ticket.submitter_email }}</a>

vince/templates/vince/vendorstatus.html

@@ -166,8 +166,11 @@ <h3 class="modal-title">Vendor Statement for {{ vul.vul }} {% if vul.cve %}({{ v
 	    {% with refs=object.references|splitlines %}
             <ul class="ul_nobullet">
               {% for ref in refs %}
-              <li><a href="{{ref}}" class="vulreflink" target="_blank" rel="noopener">{{ ref }}</a>
-	      </li>
+	      {% if ref|slice:":7" in "http://,https:/" %}
+              <li><a href="{{ref}}" class="vulreflink safereflink" target="_blank" rel="noopener">{{ ref }}</a></li>
+              {% else %}
+              <li>{{ref}}</li>
+              {% endif %}
               {% endfor %}
 	    </ul>
 	    {% endwith %}

vince/templates/vince/vendorstatusmodal.html

@@ -50,7 +50,11 @@ <h3 class="modal-title">Statement from {{ vendor.vendor }}</h3>
 	  {% with refs=vendor.references|splitlines %}
           <ul class="ul_nobullet">
             {% for ref in refs %}
-            <li><a href="{{ref}}" class="vulreflink" target="_blank" rel="noopener">{{ ref }} </a>
+	    {% if ref|slice:":7" in "http://,https:/" %}
+            <li><a href="{{ref}}" class="vulreflink safereflink" target="_blank" rel="noopener">{{ ref }}</a></li>
+            {% else %}
+            <li>{{ref}}</li>
+            {% endif %}
             </li>
             {% endfor %}
           </ul>

vince/views.py

@@ -1698,9 +1698,9 @@ def post(self, request, *args, **kwargs):
         paginator = Paginator(res, 50)
 
         if self.request.POST.get('contact') or self.request.POST.get('submitted_by'):
-            return render(request, self.template_name, {'ticket_list': paginator.page(page), 'total': len(res) })
+            return render(request, self.template_name, {'ticket_list': paginator.page(page), 'total': res.count() })
         else:
-            return render(request, self.template_name, {'object_list': paginator.page(page), 'total': len(res), 'form': form })
+            return render(request, self.template_name, {'object_list': paginator.page(page), 'total': res.count(), 'form': form })
 
 
 class ActivityFilterResults(LoginRequiredMixin, TokenMixin, UserPassesTestMixin, generic.ListView):
@@ -1758,7 +1758,7 @@ def post(self, request, *args, **kwargs):
 
         paginator = Paginator(res, 50)
 
-        return render(request, self.template_name, {'activity': paginator.page(page), 'paginator': 1, 'total': len(res) })
+        return render(request, self.template_name, {'activity': paginator.page(page), 'paginator': 1, 'total': res.count() })
 
 class ActivityView(LoginRequiredMixin, TokenMixin, UserPassesTestMixin, generic.TemplateView):
     template_name = 'vince/activity.html'
@@ -2096,7 +2096,7 @@ def post(self, request, *args, **kwargs):
 
         paginator = Paginator(activity, 10)
         print(paginator.page(1))
-        return render(request, self.template_name, {'activity': activity, 'total': len(activity), 'case': case, 'allow_edit': True})
+        return render(request, self.template_name, {'activity': activity, 'total': activity.count(), 'case': case, 'allow_edit': True})
 
 
 class CaseFilterResults(LoginRequiredMixin, TokenMixin, UserPassesTestMixin, generic.ListView):
@@ -2194,7 +2194,7 @@ def post(self, request, *args, **kwargs):
         res = res.order_by('-modified')
 
         paginator = Paginator(res, 50)
-        return render(request, self.template_name, {'object_list': paginator.page(page), 'total': len(res), 'form': form, 'case':1 })
+        return render(request, self.template_name, {'object_list': paginator.page(page), 'total': res.count(), 'form': form, 'case':1 })
 
 class CaseFilter(LoginRequiredMixin, TokenMixin, UserPassesTestMixin, FormView):
     form_class = CaseFilterForm
@@ -3018,7 +3018,8 @@ def form_valid(self, form):
             case = form.save(user=assignment)
 
         if "ticket_id" in self.kwargs:
-            # Add ticket to the case and close it.
+            # this was just a general ticket, and not a CR. So add it to
+            # the case and close it.
             ticket = get_object_or_404(Ticket, id=self.kwargs["ticket_id"])
             ticket.case = case
             ticket.status = Ticket.CLOSED_STATUS
@@ -3027,12 +3028,10 @@ def form_valid(self, form):
             if ticket.queue.team:
                 if self.request.user.groups.filter(id=ticket.queue.team.id).exists():
                     #get case queue for this team
-                    newq = TicketQueue.objects.filter(queue_type=3, team=ticket.queue.team).first()
+                    ticket.queue = TicketQueue.objects.filter(queue_type=3, team=ticket.queue.team).first()
                     # if it returns none, then try the default
-                    if newq == None:
+                    if ticket.queue == None:
                         ticket.queue = get_user_case_queue(self.request.user)
-                    else:
-                        ticket.queue = newq
                 else:
                     ticket.queue = get_user_case_queue(self.request.user)
             else:
@@ -3544,7 +3543,7 @@ def get_context_data(self, **kwargs):
         #get reviews for this revision:
         reviews = VulNoteReview.objects.filter(vulnote=revision, complete=True).order_by('-date_complete')
         context['review'] = reviews.first()
-        if len(reviews) > 1:
+        if reviews.count() > 1:
             context['next'] = reviews[1]
             logger.debug(context['next'])
             context['reviews'] = reviews.exclude(id=context['review'].id)
@@ -13094,7 +13093,7 @@ def post(self, request, *args, **kwargs):
 
         paginator = Paginator(res, 50)
 
-        return render(request, "vince/searchresults.html", {'object_list': paginator.page(page), 'total': len(res), 'show_params': 1 })
+        return render(request, "vince/searchresults.html", {'object_list': paginator.page(page), 'total': res.count(), 'show_params': 1 })
 
     def get_context_data(self, **kwargs):
         context = super(TriageView, self).get_context_data(**kwargs)
@@ -13795,7 +13794,7 @@ def post(self, request, *args, **kwargs):
 
         paginator = Paginator(res, 50)
 
-        return render(request, self.template_name, {'object_list': paginator.page(page), 'total': len(res) })
+        return render(request, self.template_name, {'object_list': paginator.page(page), 'total': res.count() })
 
 
 class EmailFilterView(LoginRequiredMixin, TokenMixin, UserPassesTestMixin, generic.FormView):
@@ -15085,8 +15084,12 @@ def get_context_data(self, **kwargs):
 
         context['permanent'] = BounceEmailNotification.objects.filter(bounce_type=BounceEmailNotification.PERMANENT, action_taken=False).order_by('-bounce_date')
 
+
+
         context['transient'] = BounceEmailNotification.objects.filter(bounce_type=BounceEmailNotification.TRANSIENT, ticket__status__in=[Ticket.OPEN_STATUS, Ticket.REOPENED_STATUS, Ticket.IN_PROGRESS_STATUS]).order_by('-bounce_date')
 
+
+        context['operm'] = FollowUp.objects.filter(title__startswith="Email Bounce Notification", ticket__status__in=[Ticket.OPEN_STATUS, Ticket.REOPENED_STATUS], comment__icontains="Permanent")
         return context