[bot] Merge 26.3 to develop#656
Open
github-actions[bot] wants to merge 4 commits into
Open
Conversation
Fixes several bugs in the testresults module found while writing Selenium tests, plus a folder-scoping gap in how runs are looked up by id: - Training stats: extracted `recomputeUserData`(scope, userid, container), which recomputes a user's stats from their remaining training runs and deletes the `UserData `row when none remain. Called by `TrainRunAction `and `DeleteRunAction`. - `DeleteRunAction`: delete all child rows (now including handleleaks and trainruns) before the parent run, then refresh the owner's training stats. - `TrainRunAction`: verify the run exists before recompute on the force path too. - Folder scoping: added `getRunInContainer(runId, container)` - `trainRun`, `deleteRun`, `flagRun`, `viewLog`, `viewXml `and the flagged-runs list now reject or omit runs from other folders. - `showRun` and `TrainingDataViewAction `were already scoped. - `failureDetail.jsp`: set the chart's date-axis bounds only when dates exist. - Date parsing: parse MM/dd/yyyy strictly and reject invalid dates; use a fresh formatter per call instead of one shared static instance. - Added new tests for strict dates, deleting a run with child rows, the recompute update branch (mean and stddev), the trainRun force-path error, and cross-folder run access (testRunAccessIsContainerScoped). --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Ankur Juneja <ankurjuneja05@gmail.com>
- Path traversal (High) - DownloadCustomGCTReportAction: Validate the requested `fileName` with `FileUtil.isAllowedFileName` and confirm the resolved path stays inside the container's GCT directory. - Cross-container access (Medium / Low) - PSP job lookups: `LincsManager.getLincsPspJob` / `getLincsPspJobForRun` now require a `Container` and filter on it. The PSP-job detail/status/update actions can no longer reach jobs in other folders. All callers updated (3 controller actions, SubmitPspJobAction, and 2 LincsDataTable display columns). - Cleartext credential transmission (Low, CWE-319) - Clue/PSP server URI: Require `https` for the Clue/PSP server URI. Rejected at save time in `ManageLincsClueCredentials.validateCommand`, and as defense in depth in `LincsPspUtil.getPspEndpoint` before the API key is sent as a request header. The point-of-use check also blocks endpoints saved as `http://` before this fix. Added `<labkey:errors/>` to `manageClueCredentials.jsp` so the save-time rejection is actually shown. - *Missing audit trail (Low) - credential / config changes: ManageLincsClueCredentials.handlePost` and `CromwellConfigAction.handlePost` now write an audit event (container and acting user, no secret values) when the PSP/Clue credentials or Cromwell config change. --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generated automatically.
Merging changes from: d3d8590
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
Verify all PRs before approving: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=fb_bot_merge_26.3