[19.01] Improve string escaping and changeset validation on toolshed#7616
[19.01] Improve string escaping and changeset validation on toolshed#7616nsoranzo merged 4 commits intogalaxyproject:release_19.01from
Conversation
|
This should target 18.05, I think. Also, I'm going to push a commit that should fix https://jenkins.galaxyproject.org/job/docker-toolshed/13508/testReport/junit/shed_functional.functional.test_0000_basic_repository_features/TestBasicRepositoryFeatures/test_0130_verify_handling_of_invalid_characters/ |
|
the previous similar PR from January went to 18.09, but I am not against backporting |
|
We shouldn't support tool sheds and haven't really promised to anywhere - let alone 18.05 tool sheds - I feel like targeting 19.01 is sufficient. |
|
@jmchilton Since we release the Tool Shed source code together with Galaxy's, I don't see how the Security Policy doesn't apply to it. Obviously we could amend the policy, if we decide to. |
|
The security policy over and over mention's Galaxy's version, Galaxy instances, etc... it doesn't mention "code" or "code shipped with Galaxy" or alternative servers, or the Tool Shed. I think my reading of it is entirely reasonable. |
|
There has never been a separate Tool Shed repository or separate Tool Shed releases, Galaxy source code imports TS and viceversa. This clearly indicates to me that "Galaxy" in the Sec. policy refers to the entire "project". |
|
Unless there are big obstacles/conflicts I volunteer to backport it. |
|
@martenson I've fixed the tests, can you double check that this still fix the original issue? |
|
from gitter
|
which will not strip safe HTML tags and attributes, which we use. Also, restrict the possible values of `status` instead of trying to escape it.
|
Thanks @martenson , I've rebased the latest commit adding |
|
@nsoranzo bleach seems to work well in my testing of these endpoints. This is ready I think. |
|
Merged forward. |
|
backport: #7626 |
No description provided.