Commit Graph

12 Commits

Author SHA1 Message Date
David Taylor 68b4fe4cf8
SECURITY: Expand and improve SSRF Protections (#18815)
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:33:17 +00:00
Bianca Nenciu 19ed9dd183
FIX: Keep private theme key secret from user (#18106)
The generate RSA key and import theme routes worked separate from each
other. The RSA key returned both the public and private key and it was
the frontend which posted the private key back to the server. With this
commit, only the public key is necessary as the server keeps a map of
public and private keys that is used to get the private key back from
a public key.
2022-09-01 13:15:23 +03:00
Bianca Nenciu daa3f96d54
FIX: Allow .git end to miss from Git repo URL (#18092)
When installing private themes and theme components, the public key does
not show until the administrator types a valid Git repo URL. The regular
expression that checked the URL was too strict and it required the URL
to end with ".git".
2022-08-30 22:05:43 +03:00
Bianca Nenciu e029a9b36c
FEATURE: Allow private themes to be partially installed (#17644)
A public key must be added to GitHub when installing private themes.
When the process happens asynchronously (for example if the admin does
not have admin permissions to the GitHub repository), installing
private themes becomes very difficult.

In this case, the Discourse admin can partially install the theme by
letting Discourse save the private key, create a placeholder theme and
give the admin a public key to be used as a deploy key. After the key
is installed, the admin can finish theme installation by pressing a
button on the theme page.
2022-08-10 13:30:18 +03:00
Penar Musaraj 9581d71372
FIX: Allow CodeCommit-style theme .git url format (#12739) 2021-04-16 12:46:34 -04:00
Blake Erickson 85870225f2
FIX: Allow additional valid theme .git url formats (#12385)
Some git repos have a different ssh url scheme than github and we should
support them.

This change updates our regex format to account for repos that don't
start with "git", but are still valid ssh urls.

Also I added some tests to account for the various formats and to ensure
we don't show the public key when using https urls.

See: https://meta.discourse.org/t/182668
2021-03-12 13:24:55 -07:00
Osama Sayegh a6850d9691
FIX: Detect installed themes using URLs instead of names (#12201)
Context: https://meta.discourse.org/t/not-all-installed-theme-components-listed-as-installed/179756?u=osama
2021-02-25 00:10:17 +03:00
Penar Musaraj 916e1d85cf
FEATURE: Quick theme installs via query parameters (#12128) 2021-02-18 12:51:44 -05:00
Osama Sayegh 116a879ff4
FIX: Reset theme install modal state on close (#11670)
The theme install modal should reset its state on close, otherwise it might cause confusion when installing multiple components successively.
2021-01-11 18:27:31 +03:00
Osama Sayegh 2e3b3ec2de
FEATURE: Warn admins when installing a theme that's already installed (#11651)
Installing multiple copies of the same theme/component is possible, but you rarely need to actually have multiple copies installed. We've seen many times new admins installing duplicates of components because they were unaware it was already installed. This PR makes the theme installer modal loop through the existing themes when you click on 'install', and if there is a theme with a URL that matches the URL you entered, a warning will show up and you will need to click 'install' again to proceed.
2021-01-07 21:03:35 +03:00
Roman Rizzi bbe5d8d5cf
DEV: Sort imports alphabetically (#11382) 2020-12-01 15:31:26 -03:00
Robin Ward ce3fe2f4c4 REFACTOR: Support bundling our `admin` section as an ember addon 2020-09-22 15:14:29 -04:00