Kiwi TCMS 6.3

fixes XSS vulnerability, GitLab integration

Posted by Kiwi TCMS Team on Tue 04 December 2018

We're happy to announce Kiwi TCMS version 6.3! This is a medium severity security update that includes new versions of Django and Patternfly, new database migrations, lots of improvements, bug fixes and internal refactoring. This version also introduces integration with GitLab issue tracker! You can explore everything at https://demo.kiwitcms.org!

Supported upgrade paths:

5.3   (or older) -> 5.3.1
5.3.1 (or newer) -> 6.0.1
6.0.1            -> 6.1
6.1              -> 6.1.1
6.1.1            -> 6.2 (or newer)

Docker images:

kiwitcms/kiwi       latest  8135624fdca2    960.3 MB
kiwitcms/kiwi       6.2     7870085ad415    957.6 MB
kiwitcms/kiwi       6.1.1   49fa42ddfe4d    955.7 MB
kiwitcms/kiwi       6.1     b559123d25b0    970.2 MB
kiwitcms/kiwi       6.0.1   87b24d94197d    970.1 MB
kiwitcms/kiwi       5.3.1   a420465852be    976.8 MB

Changes since Kiwi TCMS 6.2.1

Security

  • Resolve medium severity XSS vulnerability which can be exploited when previewing malicious text in Simple MDE editor. See CVE-2018-19057, SNYK-JS-SIMPLEMDE-72570
  • Use mozilla/bleach before rendering Markdown to the user as a second layer of protection against the previously mentioned XSS vulnerability

Improvements

  • Update to Django 2.1.4
  • Update to Patternfly 3.58.0
  • Make docker container restartable (Maik Opitz, Adam Hall)
  • Add GitLab issue tracker integration. Fixes Issue #176 (Filipe Arruda, Federal Institute of Pernambuco)
  • Convert Create new TestPlan page to Patternfly (Anton Sankov)
  • Upon successful registration show the list of super-users in case new accounts must be activated manually. This can be the same or expanded version of the addresses in the ADMIN setting. Include super-users in email notifications sent via tcms.signals.notify_admins().
  • Don't include admin/js/*.js files in templates when not necessary. Results in faster page load. Fixes Issue #209
  • Enable nl2br Markdown extension which allows newline characters to be rendered as <br> tags in HTML. Visually the rendered text will look closer to what you seen in the text editor. Fixes Issue #623
  • Use auto-complete for adding components to TestCase

Removed functionality

  • Bulk-update of Category for selected TestCase(s) inside of TestPlan
  • Bulk-update of Components for selected TestCase(s) inside of TestPlan
  • Bulk-update of automated status for selected TestCase(s) inside of TestPlan
  • Bulk-remove for TestCase Component tab

These actions have always been a bit broken and didn't check the correct permission labels. You can still update items individually!

  • Selection of Components when creating new TestCase. Closes Issue #565. Everywhere else Kiwi TCMS doesn't allow selection of many-to-many relationships when creating or editing objects. Tags, Bugs, Components, TestPlans can be added via dedicated tabs once the object has been saved.

Bug fixes

  • Hide KiwiUserAdmin.password field from super-user. Fixes Issue #610
  • Don't show inactive Priority. Fixes Issue #637
  • Don't traceback when adding new users via Admin. Fixes Issue #642
  • Teach TestRun.update() API method to process the stop_date field. Fixes Issue #554 (Anton Sankov)
  • Previously when reporting issues to Bugzilla, directly from a TestRun, Kiwi TCMS displayed the error Enable reporting to this Issue Tracker by configuring its base_url although that has already been configured. This is now fixed. See Stack Overflow #53434949

Database

  • Remove TestPlan.owner field, duplicates TestPlan.author

Translations

Refactoring

  • Remove fmt_queries(). Fixes Issue #330 (Anton Sankov)
  • Remove unused parameter from plan_from_request_or_none(). Refers to Issue #303 (Anton Sankov)
  • Remove ComponentActions() class. Fixes Issue #20
  • Convert lots of AJAX calls to JSON-RPC
  • Remove lots of unused Python, JavaScript and templates. Both after migration to JSON RPC and other leftovers
  • Pylint fixes (Alexander Todorov, Anton Sankov)

How to upgrade

If you are using Kiwi TCMS as a Docker container then:

cd Kiwi/
git pull
docker-compose down
docker pull kiwitcms/kiwi
docker pull centos/mariadb
docker-compose up -d
docker exec -it kiwi_web /Kiwi/manage.py migrate

Don't forget to backup before upgrade!

WARNING: kiwitcms/kiwi:latest and docker-compose.yml will always point to the latest available version! If you have to upgrade in steps, e.g. between several intermediate releases, you have to modify the above workflow:

# starting from an older Kiwi TCMS version
docker-compose down
docker pull kiwitcms/kiwi:<next_upgrade_version>
edit docker-compose.yml to use kiwitcms/kiwi:<next_upgrade_version>
docker-compose up -d
docker exec -it kiwi_web /Kiwi/manage.py migrate
# repeat until you have reached latest

Happy testing!

Subscribe to our newsletter