18.0.7 release

jgraph · May 17, 2022 · c63f3a0 · c63f3a0
1 parent 7a68ebe
commit c63f3a0
Show file tree

Hide file tree

Showing 14 changed files with 72 additions and 35 deletions.
diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -2,7 +2,8 @@ name: Build & Release
 
 on:
   push:
-
+    paths:
+      - VERSION
 jobs:
   build:
     runs-on: ubuntu-18.04

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+17-MAY-2022: 18.0.7
+
+- Sets setInstanceFollowRedirects(false) in proxyservlet
+- Fixes issue in state redirect of AbsAuth
+- Changes regex for CORS check
+
 16-MAY-2022: 18.0.6
 
 - Moves sanitize URL to Utils, adds extra IPv6 check

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-18.0.6
+18.0.7
diff --git a/src/main/java/com/mxgraph/online/AbsAuthServlet.java b/src/main/java/com/mxgraph/online/AbsAuthServlet.java
@@ -207,21 +207,15 @@ public static boolean isAbsolute(String url)
 			return true;
 		}
 
-		if (url.startsWith("/")) // /somePage.html
-		{
-			return false;
-		}
-
-		boolean result = false;
-
 		try 
 		{
 			URI uri = new URI(url);
-			result = uri.isAbsolute();
+			return uri.isAbsolute();
+		}
+		catch (URISyntaxException e) 
+		{
+			return true; // Block malformed URLs also
 		}
-		catch (URISyntaxException e) {} //Ignore
-
-		return result;
 	}
 
 	/**

diff --git a/src/main/java/com/mxgraph/online/ProxyServlet.java b/src/main/java/com/mxgraph/online/ProxyServlet.java
@@ -104,15 +104,13 @@ protected void doGet(HttpServletRequest request,
 				if (connection instanceof HttpURLConnection)
 				{
 					((HttpURLConnection) connection)
-							.setInstanceFollowRedirects(true);
+							.setInstanceFollowRedirects(false);
 					int status = ((HttpURLConnection) connection)
 							.getResponseCode();
 					int counter = 0;
 
 					// Follows a maximum of 6 redirects 
-					while (counter++ <= 6
-							&& (status == HttpURLConnection.HTTP_MOVED_PERM
-									|| status == HttpURLConnection.HTTP_MOVED_TEMP))
+					while (counter++ <= 6 && (int)(status / 10) == 30) //Any redirect status 30x
 					{
 						String redirectUrl = connection.getHeaderField("Location");
 
@@ -124,7 +122,7 @@ protected void doGet(HttpServletRequest request,
 						url = new URL(redirectUrl);
 						connection = url.openConnection();
 						((HttpURLConnection) connection)
-								.setInstanceFollowRedirects(true);
+								.setInstanceFollowRedirects(false);
 						connection.setConnectTimeout(TIMEOUT);
 						connection.setReadTimeout(TIMEOUT);
 
@@ -251,19 +249,19 @@ protected String getCorsDomain(String referer, String userAgent)
 		String dom = null;
 
 		if (referer != null && referer.toLowerCase()
-				.matches("https?://([a-z0-9,-]+[.])*draw[.]io/.*"))
+				.matches("^https?://([a-z0-9,-]+[.])*draw[.]io/.*"))
 		{
 			dom = referer.toLowerCase().substring(0,
 					referer.indexOf(".draw.io/") + 8);
 		}
 		else if (referer != null && referer.toLowerCase()
-				.matches("https?://([a-z0-9,-]+[.])*diagrams[.]net/.*"))
+				.matches("^https?://([a-z0-9,-]+[.])*diagrams[.]net/.*"))
 		{
 			dom = referer.toLowerCase().substring(0,
 					referer.indexOf(".diagrams.net/") + 13);
 		}
 		else if (referer != null && referer.toLowerCase()
-				.matches("https?://([a-z0-9,-]+[.])*quipelements[.]com/.*"))
+				.matches("^https?://([a-z0-9,-]+[.])*quipelements[.]com/.*"))
 		{
 			dom = referer.toLowerCase().substring(0,
 					referer.indexOf(".quipelements.com/") + 17);

diff --git a/src/main/java/com/mxgraph/online/Utils.java b/src/main/java/com/mxgraph/online/Utils.java
@@ -21,6 +21,10 @@
 import java.util.zip.Deflater;
 import java.util.zip.Inflater;
 import java.util.zip.InflaterInputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.UnknownHostException;
+import java.net.InetAddress;
 
 /**
  * 

diff --git a/src/main/webapp/electron.js b/src/main/webapp/electron.js
@@ -92,7 +92,8 @@ function createWindow (opt = {})
 		webPreferences: {
 			preload: `${__dirname}/electron-preload.js`,
 			spellcheck: enableSpellCheck,
-			contextIsolation: true
+			contextIsolation: true,
+			disableBlinkFeatures: 'Auxclick'
 		}
 	}, opt)
 
@@ -298,7 +299,8 @@ app.on('ready', e =>
 			show : false,
 			webPreferences: {
 				preload: `${__dirname}/electron-preload.js`,
-				contextIsolation: true
+				contextIsolation: true,
+				disableBlinkFeatures: 'Auxclick'
 			}
 		});
 
@@ -851,6 +853,34 @@ app.on('will-finish-launching', function()
 		}
 	});
 });
+
+app.on('web-contents-created', (event, contents) => {
+	// Disable navigation
+	contents.on('will-navigate', (event, navigationUrl) => {
+		event.preventDefault()
+	})
+
+	// Limit creation of new windows (we also override window.open)
+	contents.setWindowOpenHandler(({ url }) => {
+		// We allow external absolute URLs to be open externally (check openExternal for details) and also empty windows (url -> about:blank)
+		if (url.startsWith('about:blank'))
+		{
+			return {
+				action: 'allow',
+				overrideBrowserWindowOptions: {
+					fullscreenable: false,
+					webPreferences: {
+						contextIsolation: true
+					}
+				}
+			}
+		} 
+		else if (!openExternal(url))
+		{
+			return {action: 'deny'}
+		}
+	})
+})
 
 autoUpdater.on('error', e => log.error('@error@\n', e))
 
@@ -1229,7 +1259,8 @@ function exportDiagram(event, args, directFinalize)
 			webPreferences: {
 				preload: `${__dirname}/electron-preload.js`,
 				backgroundThrottling: false,
-				contextIsolation: true
+				contextIsolation: true,
+				disableBlinkFeatures: 'Auxclick'
 			},
 			show : false,
 			frame: false,
@@ -1892,7 +1923,10 @@ function openExternal(url)
 	if (allowedUrls.test(url))
 	{
 		shell.openExternal(url);
+		return true;
 	}
+
+	return false;
 }
 
 function watchFile(path)

diff --git a/src/main/webapp/js/app.min.js b/src/main/webapp/js/app.min.js
@@ -468,7 +468,7 @@ a),DRAWIO_GITLAB_URL=a);a=urlParams["gitlab-id"];null!=a&&(DRAWIO_GITLAB_ID=a);w
 if("1"==urlParams.offline||"1"==urlParams.demo||"1"==urlParams.stealth||"1"==urlParams.local||"1"==urlParams.lockdown)urlParams.picker="0",urlParams.gapi="0",urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0";
 "se.diagrams.net"==window.location.hostname&&(urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0",urlParams.plugins="0",urlParams.mode="google",urlParams.lockdown="1",window.DRAWIO_GOOGLE_APP_ID=window.DRAWIO_GOOGLE_APP_ID||"184079235871",window.DRAWIO_GOOGLE_CLIENT_ID=window.DRAWIO_GOOGLE_CLIENT_ID||"184079235871-pjf5nn0lff27lk8qf0770gmffiv9gt61.apps.googleusercontent.com");"trello"==urlParams.mode&&(urlParams.tr="1");
 "embed.diagrams.net"==window.location.hostname&&(urlParams.embed="1");(null==window.location.hash||1>=window.location.hash.length)&&null!=urlParams.open&&(window.location.hash=urlParams.open);window.urlParams=window.urlParams||{};window.MAX_REQUEST_SIZE=window.MAX_REQUEST_SIZE||10485760;window.MAX_AREA=window.MAX_AREA||225E6;window.EXPORT_URL=window.EXPORT_URL||"/export";window.SAVE_URL=window.SAVE_URL||"/save";window.OPEN_URL=window.OPEN_URL||"/open";window.RESOURCES_PATH=window.RESOURCES_PATH||"resources";window.RESOURCE_BASE=window.RESOURCE_BASE||window.RESOURCES_PATH+"/grapheditor";window.STENCIL_PATH=window.STENCIL_PATH||"stencils";window.IMAGE_PATH=window.IMAGE_PATH||"images";
-window.STYLE_PATH=window.STYLE_PATH||"styles";window.CSS_PATH=window.CSS_PATH||"styles";window.OPEN_FORM=window.OPEN_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||["de","se"];var mxClient={VERSION:"18.0.6",IS_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\/7\./),IS_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\//),IS_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML_PREFIX:"v",OFFICE_PREFIX:"o",IS_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"),
+window.STYLE_PATH=window.STYLE_PATH||"styles";window.CSS_PATH=window.CSS_PATH||"styles";window.OPEN_FORM=window.OPEN_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||["de","se"];var mxClient={VERSION:"18.0.7",IS_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\/7\./),IS_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\//),IS_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML_PREFIX:"v",OFFICE_PREFIX:"o",IS_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"),
 IS_OP:null!=navigator.userAgent&&(0<=navigator.userAgent.indexOf("Opera/")||0<=navigator.userAgent.indexOf("OPR/")),IS_OT:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Presto/")&&0>navigator.userAgent.indexOf("Presto/2.4.")&&0>navigator.userAgent.indexOf("Presto/2.3.")&&0>navigator.userAgent.indexOf("Presto/2.2.")&&0>navigator.userAgent.indexOf("Presto/2.1.")&&0>navigator.userAgent.indexOf("Presto/2.0.")&&0>navigator.userAgent.indexOf("Presto/1."),IS_SF:/Apple Computer, Inc/.test(navigator.vendor),
 IS_ANDROID:0<=navigator.appVersion.indexOf("Android"),IS_IOS:/iP(hone|od|ad)/.test(navigator.platform)||navigator.userAgent.match(/Mac/)&&navigator.maxTouchPoints&&2<navigator.maxTouchPoints,IS_WEBVIEW:/((iPhone|iPod|iPad).*AppleWebKit(?!.*Version)|; wv)/i.test(navigator.userAgent),IS_GC:/Google Inc/.test(navigator.vendor),IS_CHROMEAPP:null!=window.chrome&&null!=chrome.app&&null!=chrome.app.runtime,IS_FF:"undefined"!==typeof InstallTrigger,IS_MT:0<=navigator.userAgent.indexOf("Firefox/")&&0>navigator.userAgent.indexOf("Firefox/1.")&&
 0>navigator.userAgent.indexOf("Firefox/2.")||0<=navigator.userAgent.indexOf("Iceweasel/")&&0>navigator.userAgent.indexOf("Iceweasel/1.")&&0>navigator.userAgent.indexOf("Iceweasel/2.")||0<=navigator.userAgent.indexOf("SeaMonkey/")&&0>navigator.userAgent.indexOf("SeaMonkey/1.")||0<=navigator.userAgent.indexOf("Iceape/")&&0>navigator.userAgent.indexOf("Iceape/1."),IS_SVG:"MICROSOFT INTERNET EXPLORER"!=navigator.appName.toUpperCase(),NO_FO:!document.createElementNS||"[object SVGForeignObjectElement]"!==
@@ -11694,7 +11694,7 @@ D.appendChild(R);Q.appendChild(D);this.container=Q};var W=ChangePageSetup.protot
 this.format);null!=this.mathEnabled&&(this.page.viewState.mathEnabled=this.mathEnabled);null!=this.shadowVisible&&(this.page.viewState.shadowVisible=this.shadowVisible)}}else W.apply(this,arguments),null!=this.mathEnabled&&this.mathEnabled!=this.ui.isMathEnabled()&&(this.ui.setMathEnabled(this.mathEnabled),this.mathEnabled=!this.mathEnabled),null!=this.shadowVisible&&this.shadowVisible!=this.ui.editor.graph.shadowVisible&&(this.ui.editor.graph.setShadowVisible(this.shadowVisible),this.shadowVisible=
 !this.shadowVisible)};Editor.prototype.useCanvasForExport=!1;try{var U=document.createElement("canvas"),X=new Image;X.onload=function(){try{U.getContext("2d").drawImage(X,0,0);var u=U.toDataURL("image/png");Editor.prototype.useCanvasForExport=null!=u&&6<u.length}catch(D){}};X.src="data:image/svg+xml;base64,"+btoa(unescape(encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1px" height="1px" version="1.1"><foreignObject pointer-events="all" width="1" height="1"><div xmlns="http://www.w3.org/1999/xhtml"></div></foreignObject></svg>')))}catch(u){}})();
 (function(){var b=new mxObjectCodec(new ChangePageSetup,["ui","previousColor","previousImage","previousFormat"]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};b.afterDecode=function(e,f,c){c.previousColor=c.color;c.previousImage=c.image;c.previousFormat=c.format;null!=c.foldingEnabled&&(c.foldingEnabled=!c.foldingEnabled);null!=c.mathEnabled&&(c.mathEnabled=!c.mathEnabled);null!=c.shadowVisible&&(c.shadowVisible=!c.shadowVisible);return c};mxCodecRegistry.register(b)})();
-(function(){var b=new mxObjectCodec(new ChangeGridColor,["ui"]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.6";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.*\.draw\.io$/.test(window.location.hostname)||/.*\.diagrams\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO_BASE_URL;EditorUi.lightboxHost=window.DRAWIO_LIGHTBOX_URL;EditorUi.lastErrorMessage=
+(function(){var b=new mxObjectCodec(new ChangeGridColor,["ui"]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.7";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.*\.draw\.io$/.test(window.location.hostname)||/.*\.diagrams\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO_BASE_URL;EditorUi.lightboxHost=window.DRAWIO_LIGHTBOX_URL;EditorUi.lastErrorMessage=
 null;EditorUi.ignoredAnonymizedChars="\n\t`~!@#$%^&*()_+{}|:\"<>?-=[];'./,\n\t";EditorUi.templateFile=TEMPLATE_PATH+"/index.xml";EditorUi.cacheUrl=window.REALTIME_URL;null==EditorUi.cacheUrl&&"undefined"!==typeof DrawioFile&&(DrawioFile.SYNC="none");Editor.cacheTimeout=1E4;EditorUi.enablePlantUml=EditorUi.enableLogging;EditorUi.isElectronApp=null!=window&&null!=window.process&&null!=window.process.versions&&null!=window.process.versions.electron;EditorUi.nativeFileSupport=!mxClient.IS_OP&&!EditorUi.isElectronApp&&
 "1"!=urlParams.extAuth&&"showSaveFilePicker"in window&&"showOpenFilePicker"in window;EditorUi.enableDrafts=!mxClient.IS_CHROMEAPP&&isLocalStorage&&"0"!=urlParams.drafts;EditorUi.scratchpadHelpLink="https://www.diagrams.net/doc/faq/scratchpad";EditorUi.enableHtmlEditOption=!0;EditorUi.defaultMermaidConfig={theme:"neutral",arrowMarkerAbsolute:!1,flowchart:{htmlLabels:!1},sequence:{diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35,
 mirrorActors:!0,bottomMarginAdj:1,useMaxWidth:!0,rightAngles:!1,showSequenceNumbers:!1},gantt:{titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,leftPadding:75,gridLineStartPadding:35,fontSize:11,fontFamily:'"Open-Sans", "sans-serif"',numberSectionStyles:4,axisFormat:"%Y-%m-%d"}};EditorUi.logError=function(d,g,k,l,p,q,x){q=null!=q?q:0<=d.indexOf("NetworkError")||0<=d.indexOf("SecurityError")||0<=d.indexOf("NS_ERROR_FAILURE")||0<=d.indexOf("out of memory")?"CONFIG":"SEVERE";if(EditorUi.enableLogging&&