Merge branch 'development' - version 3.0.3

Author: Tim Bach

routes/admin.rb

@@ -783,6 +783,141 @@ class Vulnreport < Sinatra::Base
 		redirect "/admin/vulntypes/"
 	end
 
+	get '/admin/vulntypes/export/?' do
+		vulnTypes = VulnType.all()
+
+		builder = Nokogiri::XML::Builder.new do |xml|
+			xml.vulntypes{
+				vulnTypes.each do |vt|
+					xml.vulntype{
+						xml.name vt.name
+						xml.label vt.label
+						xml.cwe vt.cwe_mapping
+						xml.html vt.html
+						xml.priority vt.priority
+						xml.enabledSections vt.enabledSections
+					}
+				end
+			}
+		end
+
+		attachment "vulntypes.xml"
+		return builder.to_xml
+	end
+
+	get '/admin/vulntypes/import/?' do
+		erb :admin_vt_import
+	end
+
+	post '/admin/vulntypes/import/?' do
+		data = params[:vt_import]
+		
+		filesize = (File.size(data[:tempfile]).to_f)/1024
+		if(filesize > 1024)
+			@errstr = "XML File too large - Max 1MB"
+			return erb :error
+		end
+
+		file = File.open(data[:tempfile], "rb")
+		doc = Nokogiri::XML(file)
+
+		@vts = Array.new
+		doc.xpath("//vulntype").each do |vt|
+			vtname = vt.at_xpath(".//name").children.first.text.to_s
+
+			vtlabel = vt.at_xpath(".//label").children
+			if(!vtlabel.nil? && vtlabel.size > 0)
+				vtlabel = vtlabel.first.text.to_s
+			else
+				vtlabel = nil
+			end
+
+			vtcwe = vt.at_xpath(".//cwe").children
+			if(!vtcwe.nil? && vtcwe.size > 0)
+				vtcwe = vtcwe.first.text.to_i
+			else
+				vtcwe = nil
+			end			
+			
+			vtpriority = vt.at_xpath(".//priority").children
+			if(!vtpriority.nil? && vtpriority.size > 0)
+				vtpriority = vtpriority.first.text.to_i
+			else
+				vtpriority = nil
+			end
+
+			vtenabled = vt.at_xpath(".//enabledSections").children.first.text.gsub("[","").gsub("]","").split(",").map{|s| s.to_i}
+
+			vthtml = vt.at_xpath(".//html").children
+			if(!vthtml.nil? && vthtml.size > 0)
+				vthtml = vthtml.first.text.to_s
+			else
+				vthtml = nil
+			end
+
+			newvt = {:name => vtname, :label =>vtlabel, :cwe => vtcwe, :priority => vtpriority, :enabled => vtenabled, :html => vthtml}
+			@vts << newvt
+		end
+
+		@appRecordTypes = RecordType.appRecordTypes()
+
+		erb :admin_vt_import_confirm
+	end
+
+	post '/admin/vulntypes/doImport/?' do
+		selected = params[:vt_confirms].map{|e| e.to_i}
+
+		newRts = Array.new
+		if(!params[:rtms].nil?)
+			params[:rtms].each do |rtid|
+				newRts << rtid.to_i
+			end
+		end
+
+		selected.each do |idx|
+			vtname = params["vt_name_#{idx}"].to_s
+			
+			vtlabel = params["vt_label_#{idx}"]
+			if(vtlabel.nil? || vtlabel.to_s.strip.empty?)
+				vtlabel = nil
+			else
+				vtlabel = vtlabel.to_s
+			end
+
+			vtcwe = params["vt_cwe_#{idx}"]
+			if(vtcwe.nil? || vtcwe.to_s.strip.empty?)
+				vtcwe = nil
+			else
+				vtcwe = vtcwe.to_i
+			end
+
+			vtpriority = params["vt_priority_#{idx}"]
+			if(vtpriority.nil? || vtpriority.to_s.strip.empty?)
+				vtpriority = nil
+			else
+				vtpriority = vtpriority.to_i
+			end
+
+			vtenabled = params["vt_enabled_#{idx}"]
+			if(vtenabled.nil? || vtenabled.to_s.strip.empty?)
+				vtenabled = []
+			else
+				vtenabled = vtenabled.to_s.gsub("[","").gsub("]","").split(",").map{|s| s.to_i}
+			end
+
+			vthtml = params["vt_html_#{idx}"]
+			if(vthtml.nil? || vthtml.to_s.strip.empty?)
+				vthtml = nil
+			else
+				vthtml = vthtml.to_s
+			end
+
+			vt = VulnType.create(:name => vtname, :label => vtlabel, :cwe_mapping => vtcwe, :priority => vtpriority, :html => vthtml, :enabled => true, :enabledRTs => newRts, :enabledSections => vtenabled)
+		end
+
+		redirect "/admin/vulntypes/"
+	end
+
 	get '/admin/vulntypes/:vtid/?' do
 		@vt = VulnType.get(params[:vtid])
 		if(@vt.nil?)

version.rb

@@ -9,7 +9,7 @@ class Vulnreport
 	module VERSION
 		MAJOR = 3
 		MINOR = 0
-		PATCH = 2
+		PATCH = 3
 		PRE = nil
 
 		STRING = [MAJOR,MINOR,PATCH,PRE].compact.join(".")

views/admin_types_nav_partial.erb

@@ -1,7 +1,7 @@
 <div class="row" style="margin-top:-10px; margin-bottom:20px;">
 	<div class="col-lg-12">
 		<ul class="nav nav-tabs">
-			<li role="presentation" <% if request.path_info == "/admin/vulntypes" %>class="active"<% end %>><a href="/admin/vulntypes"><i class="fa fa-wrench"></i> Vulntypes</a></li>
+			<li role="presentation" <% if request.path_info.start_with?("/admin/vulntypes") %>class="active"<% end %>><a href="/admin/vulntypes"><i class="fa fa-wrench"></i> Vulntypes</a></li>
 			<li role="presentation" <% if request.path_info == "/admin/customVTs" %>class="active"<% end %>><a href="/admin/customVTs"><i class="fa fa-asterisk"></i> Custom Vulntypes</a></li>
 			<li role="presentation" <% if request.path_info == "/admin/recordTypes" %>class="active"<% end %>><a href="/admin/recordTypes"><i class="fa fa-cubes"></i> Record Types</a></li>
 			<li role="presentation" <% if request.path_info == "/admin/flags" %>class="active"<% end %>><a href="/admin/flags"><i class="fa fa-flag"></i> App Flags</a></li>

views/admin_vt_import.erb

@@ -0,0 +1,36 @@
+<%= erb :header_partial %>
+
+<div class="row">
+  <div class="col-lg-12">
+    <h1>VulnTypes <small>Administration</small></h1>
+    <ol class="breadcrumb">
+      <li><a href="/admin/settings"><i class="fa fa-cog"></i> Vulnreport Settings</a></li>
+      <li><a href="/admin/vulntypes"><i class="fa fa-wrench"></i> VulnTypes</a></li>
+      <li class="active"><i class="fa fa-wrench"></i> Import</li>
+    </ol>
+  </div>
+</div><!-- /.row -->
+
+<%= erb :admin_types_nav_partial %>
+
+<div class="row">
+  <div class="col-lg-1"></div>
+  <div class="col-lg-6">
+    <p>
+      To import Vulntypes (exported from another Vulnreport system or provided via the <a href="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/salesforce/vulnreport" target="_blank">Vulnreport GitHub repo</a>) select the XML file to upload below.
+    </p>
+  </div>
+</div>
+
+<div class="row">
+  <div class="col-lg-2"></div>
+  <div class="col-lg-3" style="text-align:center;">
+    <form action="/admin/vulntypes/import" method="POST" enctype="multipart/form-data">
+      <%=csrf_tag%>
+      <input type="file" class="form-control" name="vt_import" placeholder="Vulntypes XML File">
+      <button type="submit" class="btn btn-default" style="margin-top:12px;">Import Vulntypes</button>
+    </form>
+  </div>
+</div>
+
+<%= erb :footer_partial %>

views/admin_vt_import_confirm.erb

@@ -0,0 +1,84 @@
+<%= erb :header_partial %>
+
+<script type="text/javascript">
+  $(function() {
+    $("#rt-multiselect").multiSelect({
+                            selectableHeader: "<div class='msHeader'>Available RecordTypes</div>",
+                            selectionHeader: "<div class='msHeader'>Selected RecordTypes</div>",
+                          });
+  });
+</script>
+
+<div class="row">
+  <div class="col-lg-12">
+    <h1>VulnTypes <small>Administration</small></h1>
+    <ol class="breadcrumb">
+      <li><a href="/admin/settings"><i class="fa fa-cog"></i> Vulnreport Settings</a></li>
+      <li><a href="/admin/vulntypes"><i class="fa fa-wrench"></i> VulnTypes</a></li>
+      <li class="active"><i class="fa fa-wrench"></i> Import</li>
+    </ol>
+  </div>
+</div><!-- /.row -->
+
+<%= erb :admin_types_nav_partial %>
+
+<div class="row">
+  <div class="col-lg-1"></div>
+  <div class="col-lg-6">
+    <p>
+      Confirm which Vulntypes you'd like to import from the uploaded XML.
+    </p>
+  </div>
+</div>
+
+<form action="/admin/vulntypes/doImport" method="POST">
+  <%=csrf_tag%>
+  <% @vts.each_with_index do |vt, idx| %>
+    <div class="row" id="vt_<%=idx%>">
+      <div class="col-lg-1"></div>
+      <div class="col-lg-10">
+        <input type="checkbox" name="vt_confirms[]" id="vt_confirm_<%=idx%>" value="<%=idx%>" checked> <%=h(vt[:name])%>
+        <input type="hidden" name="vt_name_<%=idx%>" value="<%=h(vt[:name])%>" />
+        <input type="hidden" name="vt_label_<%=idx%>" value="<%=h(vt[:label])%>" />
+        <input type="hidden" name="vt_cwe_<%=idx%>" value="<%=h(vt[:cwe])%>" />
+        <input type="hidden" name="vt_priority_<%=idx%>" value="<%=h(vt[:priority])%>" />
+        <input type="hidden" name="vt_enabled_<%=idx%>" value="<%=h(vt[:enabled])%>" />
+        <input type="hidden" name="vt_html_<%=idx%>" value="<%=h(vt[:html])%>" />
+      </div>
+      <div class="col-lg-1"></div>
+    </div>
+  <% end %>
+
+  <div class="row">
+    <div class="col-lg-1"></div>
+    <div class="col-lg-10">
+      <hr />
+      <h4 style="margin-top:-20px; margin-left:40px; margin-bottom:20px; color:#999;">
+        App Record Types
+        <small style="font-size:6pt;">Select which Record Types imported Vulntypes should be available on</small>
+      </h4>
+
+      <div class="form-group">
+        <div class="col-sm-2"></div>
+        <div class="col-sm-6">
+          <select multiple="multiple" id="rt-multiselect" name="rtms[]" rel="jqms">
+            <% @appRecordTypes.each do |rt| %>
+              <option value="<%=rt.id%>"><%=h(rt.name)%></option>
+            <% end %>
+          </select>
+        </div>
+      </div>
+    </div>
+    <div class="col-lg-1"></div>
+  </div>
+
+  <div class="row">
+    <div class="col-lg-4"></div>
+    <div class="col-lg-7">
+      <button type="submit" class="btn btn-success" style="margin:20px;">Import Vulntypes</button>
+    </div>
+    <div class="col-lg-1"></div>
+  </div>
+</form>
+
+<%= erb :footer_partial %>

views/admin_vts.erb

@@ -18,7 +18,9 @@
       <div class="panel-heading">
         <span style="font-size:12pt;"><i class="fa fa-wrench"></i> VulnTypes</span>
         <span style="position:absolute;right:25px;">
-          <a href="/admin/vulntypes/new" style="color:#FFF;"><i class="fa fa-plus"></i> New VulnType</a>
+          <a href="/admin/vulntypes/new" style="color:#FFF;"><i class="fa fa-plus"></i> New Vulntype</a>
+          <a href="/admin/vulntypes/export"><button type="button" class="btn btn-xs btn-info" style="margin-left:6px;">Export Vulntypes</button></a>
+          <a href="/admin/vulntypes/import"><button type="button" class="btn btn-xs btn-info" style="margin-left:6px;">Import Vulntypes</button></a>
         </span>
       </div>
       <div class="panel-body">