Merge pull request #95 from sei-vsarvepalli/version-2.0.7

Version 2.0.7 updates and enhancements.

CHANGELOG.md

@@ -1,5 +1,15 @@
 # VINCE Changelog
 
+Version 2.0.7  2023-03-20
+
+* Security updates Django to 3.2.18 CVE-2023-24580, Remove python-futures (no longer used) GH Issues #91 #90 (Dependabot)
+* Support User Approve Request (UAR) new workflow for User joining Vendor Group GH Issue #94
+* Allow Tracking ID's to be added to Cases when user belongs to multiple groups (CaseTracking) reported by VINCE user.
+* Move from initial to instance on Form Class inits() to modify existing data in Models/Forms pair
+* Move more browser UI information to async data requests, less templates.
+* Remove `marquee`, `command` and `style` tags from supported markdown_helpers  lib.vince.markdown_helpers - reported by VINCE user.
+
+
 Version 2.0.6  2023-01-23
 
 * Removed Edit Vulnerability button superfluous GHIssue #77

README.md

@@ -71,7 +71,7 @@ VINCEPUB application provides publicly available publications and reports that u
 users. Each application can also be further protected by network access controls as desired to
 reduce the risk of exposure.
 
-[<img src="VINCE_Infrastructure.png" width="100%"></A>](./VINCE_Infrastructure.png)
+[<img src="https://github.com/CERTCC/VINCE/raw/main/Vince_Infrastructure.png" width="100%"></A>](https://github.com/CERTCC/VINCE/raw/main/Vince_Infrastructure.png)
 
 
 ### Local Install
@@ -81,7 +81,7 @@ reduce the risk of exposure.
 2. Create a virtual environment and install requirements
 ```
 cd bigvince
-mkvirtualenv --python=/usr/local/bin/python3.6 bigvince  (python3 -m venv env)
+mkvirtualenv  bigvince 
 source env/bin/activate
 pip install -r requirements.txt
 ```

bigvince/settings_.py

@@ -56,7 +56,7 @@
 ROOT_DIR = environ.Path(__file__) - 3
 
 # any change that requires database migrations is a minor release
-VERSION = "2.0.6"
+VERSION = "2.0.7"
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/

cdk/lambda/CreateDatabases/requests/__version__.py

@@ -4,11 +4,11 @@
 
 __title__ = 'requests'
 __description__ = 'Python HTTP for Humans.'
-__url__ = 'http://python-requests.org'
-__version__ = '2.22.0'
-__build__ = 0x022200
+__url__ = 'https://requests.readthedocs.io'
+__version__ = '2.27.1'
+__build__ = 0x022701
 __author__ = 'Kenneth Reitz'
 __author_email__ = 'me@kennethreitz.org'
 __license__ = 'Apache 2.0'
-__copyright__ = 'Copyright 2019 Kenneth Reitz'
+__copyright__ = 'Copyright 2023 Kenneth Reitz'
 __cake__ = u'\u2728 \U0001f370 \u2728'

lib/vince/markdown_helpers.py

@@ -34,6 +34,10 @@
 import logging
 from bs4 import BeautifulSoup
 
+
+unsafe = {"style","marquee","command"}
+generally_xss_safe  = [v for v in generally_xss_safe if not v in unsafe]
+
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.DEBUG)
 

vince/static/vince/css/overrides.css

@@ -119,3 +119,18 @@ nav.cdown li.not_affected {
     background-color: #3adb76;
 }  
 
+.new-vendor {
+    padding-left: 4px;
+}
+.p-inline-block {
+    display:inline-block;
+}
+.p-inline {
+    display:inline;
+}
+span.trackorg::before {
+    content: "[";
+}
+span.trackorg::after {
+    content: "]";
+}

vince/static/vince/css/style.css

@@ -714,7 +714,7 @@ ul {
 
 #login-footer{
     height:70px;
-    background-color:#FFF;
+    background-color:#525356;
     border: solid 1px white;
     max-width: 600px;
     width: 100%;
@@ -3730,6 +3730,7 @@ h4 a i {
     padding: 0 .25em;
     font-size: 14px;
     color: #666;
+    cursor:pointer;
 }
 
 .edit-delete-hover {
@@ -3756,7 +3757,7 @@ h4 a i {
 }
 
 .sent-by-me {
-    background-color: #7eb3af;
+    background-color: #777;
     color: #fff;
 }
 

vince/static/vince/js/email.js

@@ -91,7 +91,18 @@ $(document).ready(function() {
     $('form').submit(function () {
         window.removeEventListener('beforeunload', onBeforeUnload);
     });
-
+    $('#emailform').on('submit', function() {
+	let emails = $('input[name="to"]').val().split(",");
+	let remail = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,4})?$/;
+	for(let i = 0; i < emails.length; i++) {
+	    if(!remail.test(emails[i])) {
+		alert("Email entry " + emails[i] + " is invalid! \n" +
+		     "Enter valid email address before submitting.");
+		return false;
+	    }
+	}
+	return true;
+    });
 
     var options = {}
     var selector = 'input[id^=id_contact]'

vince/static/vince/js/tickets.js

@@ -583,7 +583,11 @@ $(document).ready(function() {
 		    $("#msgvendor").removeClass("hidden");
 		} else if (data['action_link']) {
 		    $("#msgvendor").addClass("hidden");
-		    $("#msgabutton").replaceWith("<a href=\""+data['action_link']+"\" class=\"button primary\">Send Email</a>");
+		    let send_email = $("<div>")
+			.append($("<a>").addClass("button primary")
+				.prop("href",data.action_link)
+				.html("Send Email")).html()
+		    $("#msgabutton").replaceWith(send_email);
 		} else {
 		    $("#msgvendor").addClass("hidden");
 		    $("#msgabutton").prop("disabled", true);
@@ -615,8 +619,28 @@ $(document).ready(function() {
 	    }
 	});
     }
-
-
+    function msgadminform_async() {
+        $('#msgadminform').on('submit',function(e) {
+        e.preventDefault();
+        $('body').css({opacity: 0.5});
+        $.post(this.action,$(this).serialize(),function(d) {
+            console.log(d);
+            $('#msgadminform .modal-body').html('<h2>Submit completed</h2>')
+                .append(JSON.stringify(d,null,'\t'));
+        }).fail(function() {
+	    $('#msgadminform .modal-body').html('<h2>Submission Failed!<h2>')
+		.append("See console log for details");
+	    console.log(arguments);
+	}).done(function() {
+            $('#msgadminform .modal-footer').html('');
+            setTimeout(function() {
+                $("#adddependency").foundation('close');
+                location.reload();
+            }, 900);
+        });
+        return false;
+	});
+    }
     $(document).on("click", "#msgadmin", function(event) {
         event.preventDefault();
         var url = $(this).attr("href");
@@ -628,6 +652,7 @@ $(document).ready(function() {
                     adddepmodal.html(data).foundation('open');
 		    $.getJSON("/vince/api/vendors/", function(data) {
 			vend_auto(data);
+			msgadminform_async();
 		    });
                 },
                 error: function(xhr, status) {

vince/templates/vince/include/changelog.html

@@ -32,7 +32,11 @@
 
 {% for revision in revisions %}
 <div class="panel-group">
-<div class="callout secondary" id="accordion{{ revision.revision_number }}">
+  {% if revision == vulnote.current_revision %}
+  <div class="callout success" id="accordion{{ revision.revision_number }}">
+  {% else %}
+  <div class="callout secondary" id="accordion{{ revision.revision_number }}">
+  {% endif %}
   <div class="callout-heading">
     <a class="callout-toggle" style="float: left;" data-toggle="collapse{{ revision.revision_number }}" href="{% url 'vince:diff' revision.id %}">
       {% if revision == vulnote.current_revision %}

vince/templates/vince/new_email.html

@@ -30,7 +30,7 @@ <h2>New Email</h2>
 
 <div class="row">
   <div class="small-12 large-12 columns">
-    <form method="post" enctype="multipart/form-data">{% csrf_token %}
+    <form method="post" id="emailForm" enctype="multipart/form-data">{% csrf_token %}
       {% if form.errors %}
       <p class="errornote">
         {% if form.errors.items|length == 1 %}Please correct the error below.{% else %}Please correct the errors below.{% endif %}

vince/templates/vince/teams.html

@@ -34,7 +34,7 @@ <h2>Coordination Teams</h2>
       <div class="masonry-css-item">
 	<div class="callout text-center">
 	  <div class="card-user-avatar">
-	    <div class="card-profile-stats-intro">
+	    <div class="card-profile-stats-intro card-profile">
 	      {% autoescape off %}{{ team|teamlogo:"card-profile-stats-intro-pic" }}{% endautoescape %}
 	    </div>
 	    <div class="links">

vince/urls.py

@@ -33,7 +33,7 @@
 from django.contrib import admin
 from django.views.generic import TemplateView, RedirectView
 from cogauth import views as cogauth_views
-
+from vinny.views import userapproverequest
 
 # DO NOT USE "vuls" or "comm" in the URL Path... these are special keywords in the
 # database router that change the request variable to use a different database
@@ -325,6 +325,8 @@
     re_path('^manage/cve/(?P<pk>[0-9]+)/key/', views.CVEAccountViewKey.as_view(), name='cveviewkey'),
     re_path('^manage/cve/delete/(?P<pk>[0-9]+)/', views.CVEServicesDeleteAccount.as_view(), name='cve_services_delete'),
     path('manage/bounces/', views.VINCEBounceManager.as_view(), name='bouncemanager'),
+    #Cross applications app url views from vinny.views
+    path('api/userapprove/', userapproverequest, {"caller": "vince"}, name='userapprove'),
 ]
 try:
     if settings.MULTIURL_CONFIG:

vince/views.py

@@ -10342,7 +10342,7 @@ def get_context_data(self, **kwargs):
                  'pgp_formset': self.PgPFormSet(prefix='pgp', queryset=pgp, instance=contact)}
         #'email_formset': self.EmailFormSet(prefix='email', queryset=email, instance=contact)}
         context['groups'] = GroupMember.objects.filter(contact=self.kwargs['pk'])
-        context['form'] = self.form_class(initial=contact)
+        context['form'] = self.form_class(instance=contact)
         context['form'].fields['vtype'].choices = [('User', 'User'), ('Vendor', 'Vendor'), ('Coordinator', 'Coordinator')]
         context['form'].fields['vtype'].initial = contact.vendor_type
         context['contact'] = contact
@@ -13478,6 +13478,7 @@ def get_context_data(self, **kwargs):
             context['my_team'] = context['my_teams'][0]
         return context
 
+
 class VinceTeamSettingsView(LoginRequiredMixin, TokenMixin, UserPassesTestMixin, generic.TemplateView):
     login_url = "vince:login"
     template_name = "vince/teamsettings.html"