Fixed issue #19599: [security] Stored XSS through csv file upload (th… #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: LimeSurvey - CI pipeline | |
# Triggers the workflow on push or pull request events on all branches | |
on: | |
pull_request: | |
push: | |
branches: | |
- '*' | |
- '**' | |
- 'dev/**' | |
- 'bug/**' | |
- 'feature/**' | |
- 'zoho/**' | |
jobs: | |
CI-pipeline: | |
runs-on: ubuntu-20.04 # ubuntu runner hosted by Github | |
strategy: | |
matrix: | |
# Specify what versions of php you want to test | |
php-versions: ['7.2', '8.0'] | |
# Env vars for this job | |
env: | |
DBENGINE: INNODB | |
name: PHP ${{ matrix.php-versions }} # Check each version of php specified in matrix | |
steps: | |
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
- uses: actions/checkout@v2 | |
# This will change the php version for every version specified in matrix https://github.com/marketplace/actions/setup-php-action | |
- name: Install specified PHP | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: ${{ matrix.php-versions }} | |
# Start the MySQL service - https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu1804-README.md#mysql | |
- name: Start the MySQL service | |
run: | | |
sudo systemctl start mysql.service | |
- name: Initilize and check all dependencies | |
run: | | |
# Before running composer install, check that the autoloader is up-to-date and all classes can be loaded. | |
php tests/check_autoloader.php | |
# Test | |
echo $archive_url | |
php -r 'var_dump(PHP_INT_SIZE);' | |
# Install LimeSurvey. | |
php -m # Spit out all loaded PHP modules | |
mysql --version | |
touch enabletests | |
# NB: PHPUnit 6.5.* is installed with composer. | |
composer install -vvv | |
./vendor/bin/phpunit --version | |
- name: Set up Apache+PHP | |
run: | | |
# Set up the Apache and PHP | |
sudo apt-get update > /dev/null | |
sudo apt install php php-mysql php8.0-mysql php7.2-mysql libapache2-mod-php8.0 -y | |
sudo cp -f ./tests/CI-pipeline/github-actions-apache /etc/apache2/sites-available/000-default.conf | |
sudo sed -e "s?%CI_BUILD_DIR%?$(pwd)?g" --in-place /etc/apache2/sites-available/000-default.conf | |
sudo service apache2 restart | |
# Give permision to access files for Apache | |
setfacl -dR -m u:www-data:rwX -m u:$(whoami):rwx ./tmp | |
setfacl -dR -m u:www-data:rwX -m u:$(whoami):rwx ./upload | |
setfacl -dR -m u:www-data:rwX -m u:$(whoami):rwx ./themes | |
setfacl -dR -m u:www-data:rwX -m u:$(whoami):rwx ./tests/tmp | |
setfacl -dR -m u:www-data:rwX -m u:$(whoami):rwx ./application/config | |
chmod -R 777 ./tmp | |
sudo chown -R www-data:docker ./tmp | |
chmod -R 777 ./upload | |
chmod -R 777 ./themes # Need 777 so both console and web server can cd into the folder. | |
chmod -R 777 ./tests/tmp | |
chmod -R 777 ./application/config | |
chmod +x ./tests/bin/lint-* | |
- name: Check MySQL service | |
run: | | |
# InnoDB needs large_file_prefix & Barracuda file format | |
# https://discuss.gogs.io/t/solved-mysql-error-1064-while-running-first-install/1604 | |
# InnoDB variables ARE already set to desired values in Github runner (ubuntu-18.04) | |
sudo systemctl start mysql | |
sudo service mysql status | |
mysql -uroot -proot -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'root';" || true | |
mysql -uroot -proot -e "Show variables like '%large%';" | |
mysql -uroot -proot -e "Show variables like '%innodb_file%';" | |
mysql -uroot -proot -e "Show variables like '%innodb_default%';" | |
mysql -uroot -proot -e "CREATE DATABASE limesurvey;" | |
- name: Load custom console and start the Application | |
run: | | |
cp application/config/config-sample-mysql.php application/config/config.php | |
php application/commands/console.php install admin password TravisLS no@email.com verbose | |
# Enable debug=2 in config file. OBS: This assumes debug is on line 61. | |
# TODO: Disable, a lines was added to config file and some tests started to fail. | |
# NB: EmCache is always disabled when debug => 2 | |
# NB: There can be a difference in assets used when debug = 0 or 2 (minified version or not) | |
# sed -i '60s/.*/ "debug"=>2,/' application/config/config.php | |
# cat application/config/config.php | |
- name: Test the server | |
run: | | |
# Test server. | |
wget -O - localhost | |
#sudo tail -n 500 /var/log/apache2/error.log || true | |
#sudo tail -n 500 /var/log/nginx/error.log || true | |
#sudo tail -n 500 /var/log/php7.4-fpm.log || true | |
#sudo tail -n 500 /var/log/php7.2-fpm.log || true | |
#sudo tail -n 500 /var/log/php8.0-fpm.log || true | |
# NOTE: php --version might not be the same as setup in apache. Use fwrite(STDERR, phpversion()); in index.php to be sure. | |
#which php | |
#php --version | |
#php -r 'phpinfo();' | grep log | |
#php --info | grep log | |
#find /var/log | |
# Chromedriver setup. | |
# Note: Keep getting timeout problems on Travis with chromedriver. | |
# wget https://chromedriver.storage.googleapis.com/2.33/chromedriver_linux64.zip | |
# unzip chromedriver_linux64.zip | |
- name: Run unit tests | |
env: | |
XDEBUG_MODE: coverage | |
run: php vendor/bin/phpunit --testdox --stop-on-failure tests/unit | |
- name: Check test coverage if cov.xml exists (won't work on PHP 8 with current phpunit version) | |
run: php tests/bin/check_coverage.php cov.xml 37 | |
- name: Set up Selenium with firefox (needed for integrity tests) | |
run: | | |
echo `which firefox` | |
echo `firefox -v` | |
echo `geckodriver --version` | |
# Setup Selenium with Firefox headless mode, Gecko driver already installed | |
wget "https://selenium-release.storage.googleapis.com/3.7/selenium-server-standalone-3.7.1.jar" | |
export MOZ_HEADLESS=1 | |
export MOZ_HEADLESS_WIDTH=1280 | |
export MOZ_HEADLESS_HEIGHT=1024 | |
java -jar selenium-server-standalone-3.7.1.jar -enablePassThrough false > /dev/null 2> /dev/null & | |
- name: Run functional tests | |
env: | |
DOMAIN: localhost | |
run: php vendor/bin/phpunit --testdox --stop-on-failure tests/functional | |
- name: Upload Screenshots | |
uses: actions/upload-artifact@v3 | |
if: failure() | |
with: | |
name: screenshots | |
path: tests/tmp/screenshots/ | |
retention-days: 5 | |
- name: Run syntax check, CodeSniffer, MessDetector, ... | |
run: composer test | |