Release OpenProject 11.3.4

Author: oliverguenther

.pkgr.yml

@@ -39,7 +39,7 @@ installer: https://github.com/pkgr/installer.git
 wizards:
   - https://github.com/pkgr/addon-legacy-installer.git
   - ./packaging/addons/openproject-edition
-  - https://github.com/pkgr/addon-postgres
+  - https://github.com/opf/addon-postgres
   - https://github.com/pkgr/addon-apache2.git
   - ./packaging/addons/repositories
   - https://github.com/pkgr/addon-smtp.git

app/services/service_result.rb

@@ -180,14 +180,13 @@ def message
   private
 
   def initialize_errors(errors)
-    self.errors =
-      if errors
-        errors
-      elsif result.respond_to?(:errors)
-        result.errors
-      else
-        ActiveModel::Errors.new(self)
-      end
+    self.errors = errors || new_errors_with_result
+  end
+
+  def new_errors_with_result
+    ActiveModel::Errors.new(self).tap do |errors|
+      errors.merge!(result) if result.try(:errors).present?
+    end
   end
 
   def get_message_type

docs/release-notes/11-3-3/README.md

@@ -13,6 +13,24 @@ Release date: 2021-07-20
 We released [OpenProject 11.3.3](https://community.openproject.com/versions/1484).
 The release contains several bug fixes and we recommend updating to the newest version.
 
+### Security issues
+
+**CVE-2021-32763**: Regular Expression Denial of Service in OpenProject forum messages
+
+An unoptimized regular expression in the quote functionality of the OpenProject forum feature in versions before 11.3.3 allows an attacker to perform a denial of service attack by passing a particularly crafted string to increase the runtime of the regular expression evaluation drastically.
+
+Please see the advisory for [CVE-2021-32763](https://github.com/opf/openproject/security/advisories/GHSA-qqvp-j6gm-q56f) for more information.
+
+**CVE-2021-36390**: Host Header Injection in unproxied Docker installations
+
+The default ServerName configuration of the all-in-one and docker-compose based Docker containers of OpenProject allow for HOST header injection if they are operated without a proxying web server / load balancer in front of it with a proper ServerName setup.
+
+Operating public facing docker containers is not recommended by OpenProject. The embedded server of the docker containers are not designed to be publicly accessible. Instead, use a proxying or load balancing web server that is bound to your public hostname. If you are using such an external web server, this advisory does not affect you.
+
+Please see the advisory for [CVE-2021-36390](https://github.com/opf/openproject/security/advisories/GHSA-r8f8-pgg2-2c26) for more information.
+
+
+
 <!--more-->
 #### Bug fixes and changes
 

docs/release-notes/11-3-4/README.md

@@ -0,0 +1,18 @@
+---
+title: OpenProject 11.3.4
+sidebar_navigation:
+    title: 11.3.4
+release_version: 11.3.4
+release_date: 2021-07-29
+---
+
+# OpenProject 11.3.4
+
+Release date: 2021-07-29
+
+We released [OpenProject 11.3.4](https://community.openproject.com/versions/1488).
+The release contains several bug fixes and we recommend updating to the newest version.
+
+<!--more-->
+#### Bug fixes and changes
+

docs/release-notes/README.md

@@ -12,6 +12,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 11.3.4
+
+Release date: 2021-07-29
+
+[Release Notes](11-3-4/)
+
+
 ## 11.3.3
 
 Release date: 2021-07-20

lib/open_project/version.rb

@@ -35,7 +35,7 @@ module OpenProject
   module VERSION #:nodoc:
     MAJOR = 11
     MINOR = 3
-    PATCH = 3
+    PATCH = 4
     TINY  = PATCH # Redmine compat
 
     class << self

spec/lib/journal_formatter/custom_field_spec.rb

@@ -70,6 +70,7 @@
       let(:expected) do
         I18n.t(:text_journal_changed,
                label: "<strong>#{custom_field.name}</strong>",
+               linebreak: '',
                old: "<i title=\"#{old_formatted_value}\">#{old_formatted_value}</i>",
                new: "<i title=\"#{new_formatted_value}\">#{new_formatted_value}</i>")
       end
@@ -111,6 +112,7 @@
         I18n.t(:text_journal_changed_plain,
                label: custom_field.name,
                old: format_value(values.first, custom_field),
+               linebreak: '',
                new: format_value(values.last, custom_field))
       end
 
@@ -152,6 +154,7 @@
       let(:expected) do
         I18n.t(:text_journal_changed,
                label: "<strong>#{I18n.t(:label_deleted_custom_field)}</strong>",
+               linebreak: '',
                old: "<i title=\"#{values.first}\">#{values.first}</i>",
                new: "<i title=\"#{values.last}\">#{values.last}</i>")
       end
@@ -229,6 +232,7 @@
         let(:expected) do
           I18n.t(:text_journal_changed,
                  label: "<strong>#{custom_field.name}</strong>",
+                 linebreak: '',
                  old: "<i title=\"cf 1, cf 2\">cf 1, cf 2</i>",
                  new: "<i title=\"cf 3, cf 4\">cf 3, cf 4</i>")
         end
@@ -243,6 +247,7 @@
         let(:expected) do
           I18n.t(:text_journal_changed,
                  label: "<strong>#{custom_field.name}</strong>",
+                 linebreak: '',
                  old: "<i title=\"cf 1, cf 2\">cf 1, cf 2</i>",
                  new: "<i title=\"(deleted option), cf 4\">(deleted option), cf 4</i>")
         end

spec/services/base_services/behaves_like_delete_service.rb

@@ -60,7 +60,7 @@
 
   let(:model_destroy_result) { true }
   let(:contract_validate_result) { true }
-  let(:contract_errors) { double(ActiveModel::Errors) }
+  let(:contract_errors) { ActiveModel::Errors.new(instance) }
 
   before do
     allow(model_instance).to receive(:destroy).and_return(model_destroy_result)
@@ -99,19 +99,22 @@
 
     context 'when model cannot be destroyed' do
       let(:model_destroy_result) { false }
-      let(:model_errors) { instance_double(ActiveModel::Errors) }
+      let(:model_errors) { ActiveModel::Errors.new(model_instance) }
 
       it 'is unsuccessful' do
         expect(subject)
           .to be_failure
       end
 
       it "returns the user's errors" do
+        model_errors.add :base, 'This is some error.'
+
         allow(model_instance)
           .to(receive(:errors))
           .and_return model_errors
 
         expect(subject.errors).to eql model_errors
+        expect(subject.errors[:base]).to include "This is some error."
       end
     end
   end

spec/services/service_result_spec.rb

@@ -82,6 +82,15 @@
     it 'is an empty ActiveModel::Errors by default' do
       expect(instance.errors).to be_a ActiveModel::Errors
     end
+
+    context 'providing errors from user' do
+      let(:result) { FactoryBot.build :work_package }
+
+      it 'creates a new errors instance' do
+        instance = ServiceResult.new result: result
+        expect(instance.errors).not_to eq result.errors
+      end
+    end
   end
 
   describe 'result' do

spec/services/work_packages/update_service_spec.rb

@@ -117,13 +117,9 @@
       end
 
       context 'when setting the attributes is unsuccessful (invalid)' do
-        let(:errors) { double('set errors', empty?: false) }
+        let(:errors) { ActiveModel::Errors.new(work_package) }
         let(:set_service_results) { ServiceResult.new success: false, errors: errors, result: work_package }
 
-        before do
-          allow(errors).to receive(:merge!)
-        end
-
         it 'is unsuccessful' do
           expect(subject.success?).to be_falsey
         end
@@ -135,18 +131,20 @@
         end
 
         it 'exposes the errors' do
+          errors.add(:base, 'This is a custom error!')
+
           subject
 
           expect(subject.errors).to eql errors
+          expect(subject.errors[:base]).to include 'This is a custom error!'
         end
       end
 
       context 'when the saving is unsuccessful' do
         let(:work_package_save_result) { false }
-        let(:saving_errors) { double('saving_errors', empty?: false) }
+        let(:saving_errors) { ActiveModel::Errors.new(work_package) }
 
         before do
-          allow(saving_errors).to receive(:merge!)
           allow(work_package)
             .to receive(:errors)
             .and_return(saving_errors)
@@ -162,10 +160,13 @@
           expect(work_package.changed?).to be_truthy
         end
 
-        it "exposes the work_packages's errors" do
+        it 'exposes the errors, but is a new instance' do
+          saving_errors.add(:base, 'This is a custom error!')
+
           subject
 
-          expect(subject.errors).to eql saving_errors
+          expect(subject.errors).not_to eql saving_errors
+          expect(subject.errors[:base]).to include 'This is a custom error!'
         end
       end
     end