Tuleap 14.8 is out now: server side request forgery protection, easy export of project templates, artifacts tooltips update… and more. See what our R&D team has developed for you this month, in the release note below.
Server Side Request Forgery protection
Server Side Request Forgery (SSRF for the cool kids) is part of OWASP Top 10. That means it’s one of the most critical security risk to web applications.
What is that thing ?
To make it short and simple, in the context of Tuleap, an attacker would leverage the application’s capabilities to communicate with other servers (webhooks, trigger for continuous integration, widgets that query external APIs, etc) to read or update internal resources.
But what is an internal resource ?
An internal resource is a part of your infrastructure that should not be exposed to end users. For instance the MySQL or Redis servers are internal and under no circumstances should they be accessed directly by end users. But the actual definition of what is internal cannot be decided by the Tuleap team and really depends on your network architecture.
By default, Tuleap will filter all requests made to a private networks.
What is the impact for me ?
That’s all great and fun but what’s the point for you ? It depends who you are:
- If you are a malicious person, you will be blocked in your nasty activities.
- If you are an end user, there is little you can do. But if things go south, you might observe that some of your actions don’t trigger everything they should. You should then contact project administrators.
- If you are a project administrator, you might inspect the logs of the various webhooks to ensure they are not improperly filtered. In the logs you will see a « 407 » error (see bellow for trackers). In that case you should reach the platform admin team to find the appropriate solution.
- If you are system administrator, you should read carefully the corresponding section of the documentation to ensure that the filtering rules fit with your network schema.
- If you run an instance on Public Cloud, the defaults are very likely to be ok. There is no good reasons for Tuleap to make call to private network in this circumstances. You might want to further restrict the rules to limit where your users can setup things.
- If you run an instance on premises, you are very likely to change the defaults. While it’s very unlikely that you need to reach all private networks, some of them will hold your jenkins, gitlab, gerrit, webhook, etc servers. Those parts should be open.
Since we know that Network Is Hard™, we have added a bunch of alerts to warn administrators when a network call is refused by the protection layer. It’s a good idea to act in a timely manner when such an alert is raised. It either means that some legit traffic is getting blocked or that someone is trying to look at something that they should not.
Under the hood, the actual protection rely on the usage of Stripe’s Smokescreen tool to do the actual resolution and filtering. A big thank you to Stripe’s engineering teams to have released and maintain such a great tool.
Easy export of Project Templates
One of the most powerful feature of Tuleap is to be able to tweak your project to fit exactly your needs and promote it as a template so people can leverage on it.
But that was limited to a single server. What about sharing those carefully fine tuned template with another company or another server in your company ?
That was possible but complex until now because you had to rely on system administrators to run commands on the server to export your project, do some manual cleanup before shipping.
It is now a thing of the past !
Now each project administrator is autonomous, in admin section Data > Project export, there is a dedicated screen to export the whole structure.
The next step will be to be able to easily import those templates as new projects… be patient and watch this space 😉
Artifacts tooltips update
There is an on going work on artifact tooltips. To summarize, we are going to merge them with tooltips show on Roadmap. As a consequence, all artifact tooltips will automatically get the informations from some semantics. You might want to adjust your tooltips to avoid the duplication of informations.
Future deprecated features visible for end users
A bunch of services will go for retirement later this year. It’s been announced in the Deprecation Guide but who read the docs ? So it’s now visible in the interface so actual users are warned and can take appropriate actions:
- CVS: will be removed in September 2023. There is a warning message on all pages.
- Mailman & ForumML: will be removed in September 2023. There is a warning message on all pages. Plus it’s no longer possible to create new mailing lists.
- ProFTPd: deprecated message was replaced by a complete block of the UI. It will be removed in June 2023.
In addition to that, as announced, the following features are completely removed:
- Artifact Folders
- Reference Aliases
- Distributed SVN
If you don’t know what it is, it means that you were not using them 🙂
Bugs and requests
There were 53 bugs fixed and requests implemented during the 14.8 release cycle. Bugs and security fixes were already back-ported on Tuleap Enterprise builds. You will find below a detailed list of fixes. The most notable ones are in bold.
Tracker
- #31570 Visual bug in artifact links field after previewing a child
- #31572 Tracker report XLSX export does not export some fields
- #31159 Tracker report with named links with field name that contains a number doesn’t work
- #31203 Wrong pagination in cross tracker widget
- #31590 No more valid user value in modal is not cleared
Import from Jira
- #31567 Import Jira custom checkbox fields
- #31565 Import Jira custom version fields
- #31122 Jira Components field must be imported as a multi selectbox field
- #31549 Be able to choose project visibility at Jira project import
Program Management
- #31520 Program administration error when user cannot access one aggregated project
Git
- #31550 Git UI tab switching must keep selected branch
- #31557 In new Pull Request overview the displayed user name is always the same
MediaWiki
- #31561 Menu separator should not be present when it is the last item
- #31194 Cannot delete an uploaded file
Projects
- #31579 Duplicate a Tuleap project with a lot of trackers can timeout