Merge pull request #377 from GhostManager/release/v4.0.4

Release v4.0.4

CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.0.4] - 8 January 2024
+
+### Added
+
+* Added a new `regex_search` filter for report templates that allows you to search for a regular expression in a string
+
+### Fixed
+
+* Fixed an edge case where a manually edited domain could remain marked as expired on the back end and prevent checkout
+
+### Security
+
+* Resolved a potential XSS vulnerability with autocomplete for finding titles (Closes #374)
+
 ## [4.0.3] - 15 December 2023
 
 ### Added
@@ -17,7 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-* Fixed client contacts missing from the dropdown menu after assigning a contact (Fixed #175)
+* Fixed client contacts missing from the dropdown menu after assigning a contact (Fixes #175)
 
 ### Changed
 

VERSION

@@ -1,2 +1,2 @@
-v4.0.3
-15 December 2023
+v4.0.4
+8 January 2024

config/settings/base.py

@@ -11,9 +11,9 @@
 # 3rd Party Libraries
 import environ
 
-__version__ = "4.0.3"
+__version__ = "4.0.4"
 VERSION = __version__
-RELEASE_DATE = "15 December 2023"
+RELEASE_DATE = "8 January 2024"
 
 ROOT_DIR = Path(__file__).resolve(strict=True).parent.parent.parent
 APPS_DIR = ROOT_DIR / "ghostwriter"

ghostwriter/api/tests/test_views.py

@@ -1212,7 +1212,9 @@ class GraphqlDomainUpdateEventTests(TestCase):
     def setUpTestData(cls):
         cls.user = UserFactory(password=PASSWORD)
         cls.uri = reverse("api:graphql_domain_update_event")
-        cls.domain = DomainFactory(name="chrismaddalena.com")
+        cls.available_status = DomainStatusFactory(domain_status="Available")
+        cls.expired_status = DomainStatusFactory(domain_status="Expired")
+        cls.domain = DomainFactory(name="chrismaddalena.com", domain_status=cls.expired_status)
         cls.sample_data = {
             "event": {
                 "data": {
@@ -1227,7 +1229,7 @@ def setUpTestData(cls):
                         "vt_permalink": "",
                         "burned_explanation": "",
                         "creation": "2010-03-25",
-                        "domain_status_id": cls.domain.domain_status.id,
+                        "domain_status_id": cls.expired_status.id,
                         "last_used_by_id": "",
                         "name": "Chrismaddalena.com",
                         "categorization": "",
@@ -1256,6 +1258,26 @@ def test_graphql_domain_update_event(self):
         self.assertEqual(response.status_code, 200)
         self.domain.refresh_from_db()
         self.assertEqual(self.domain.name, "chrismaddalena.com")
+        self.assertEqual(self.domain.domain_status, self.expired_status)
+        self.assertTrue(self.domain.expired)
+
+        self.domain.domain_status = self.available_status
+        self.domain.save()
+
+        self.sample_data["event"]["data"]["new"]["domain_status_id"] = self.available_status.id
+        response = self.client.post(
+            self.uri,
+            content_type="application/json",
+            data=self.sample_data,
+            **{
+                "HTTP_HASURA_ACTION_SECRET": f"{ACTION_SECRET}",
+            },
+        )
+        self.domain.refresh_from_db()
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.domain.domain_status, self.available_status)
+        self.assertFalse(self.domain.expired)
 
 
 class GraphqlOplogEntryEventTests(TestCase):

ghostwriter/api/views.py

@@ -750,6 +750,9 @@ class GraphqlDomainUpdateEvent(HasuraEventView):
 
     def post(self, request, *args, **kwargs):
         instance = Domain.objects.get(id=self.new_data["id"])
+        instance.expired = False
+        if instance.domain_status.domain_status == "Expired":
+            instance.expired = True
         instance.save()
         return JsonResponse(self.data, status=self.status)
 

ghostwriter/modules/reportwriter.py

@@ -244,6 +244,23 @@ def get_item(lst, index):
         raise InvalidFilterValue(f"Invalid or unavailable index passed into the `get_item()` filter")
 
 
+def regex_search(text, regex):
+    """
+    Perform a regex search on the provided text and return the first match.
+
+    **Parameters**
+
+    ``regex``
+        Regular expression to search with
+    ``text``
+        Text to search
+    """
+    match = re.search(regex, text)
+    if match:
+        return match.group(0)
+    return None
+
+
 def prepare_jinja2_env(debug=False):
     """Prepare a Jinja2 environment with all custom filters."""
     if debug:
@@ -259,6 +276,7 @@ def prepare_jinja2_env(debug=False):
     env.filters["add_days"] = add_days
     env.filters["format_datetime"] = format_datetime
     env.filters["get_item"] = get_item
+    env.filters["regex_search"] = regex_search
 
     return env
 

ghostwriter/reporting/tests/test_views.py

@@ -47,6 +47,7 @@
     filter_type,
     format_datetime,
     get_item,
+    regex_search,
     strip_html,
 )
 from ghostwriter.reporting.templatetags import report_tags
@@ -2285,6 +2286,11 @@ def test_get_item(self):
         result = get_item(test_list, 1)
         self.assertEqual(result, "b")
 
+    def test_regex_search(self):
+        test_string = "This is a test string. It contains the word 'test'."
+        result = regex_search(test_string, "^(.*?)\.")
+        self.assertEqual(result, "This is a test string.")
+
 
 class LocalFindingNoteUpdateTests(TestCase):
     """Collection of tests for :view:`reporting.LocalFindingNoteUpdate`."""

hasura-docker/metadata/databases/default/tables/public_shepherd_domain.yaml

@@ -173,6 +173,7 @@ event_triggers:
         columns: '*'
       update:
         columns:
+          - domain_status_id
           - name
     retry_conf:
       interval_sec: 10