Kiwi TCMS 8.1

security, improvements, bug fixes

Posted by Kiwi TCMS Team on Wed 04 March 2020 under releases

We're happy to announce Kiwi TCMS version 8.1!

IMPORTANT: this is a small security and improvement release which also includes several bug fixes, internal refactoring and updated translations. You can explore everything at https://public.tenant.kiwitcms.org!

Supported upgrade paths:

5.3   (or older) -> 5.3.1
5.3.1 (or newer) -> 6.0.1
6.0.1            -> 6.1
6.1              -> 6.1.1
6.1.1            -> 6.2 (or newer)

Docker images:

kiwitcms/kiwi       latest  fbb363af2d90    557 MB
kiwitcms/kiwi       6.2     7870085ad415    957 MB
kiwitcms/kiwi       6.1.1   49fa42ddfe4d    955 MB
kiwitcms/kiwi       6.1     b559123d25b0    970 MB
kiwitcms/kiwi       6.0.1   87b24d94197d    970 MB
kiwitcms/kiwi       5.3.1   a420465852be    976 MB

Changes since Kiwi TCMS 8.0

Security

  • JSON-RPC handler will now HTML escape all strings. This prevents XSS attacks via tags, components or anything else which is loaded on the web page via RPC and then shown as string. Even if someone saves <script>alert(123);</script> in the database the returned result will be HTML escaped and will not be executed as JavaScript!

    Notes:

    This is easy to exploit but people able to do so should have accounts in your Kiwi TCMS installation and write privileges on their accounts. If they do this means they can cause a lot more damage much more easily!

  • Update Django from 3.0.3 to 3.0.4 - fixes security issue CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle which we believe does not affect Kiwi TCMS

Improvements

  • Update bleach from 3.1.0 to 3.1.1

  • Update django-colorfield from 0.1.15 to 0.2.1

  • Update markdown from 3.2 to 3.2.1

  • On bug creation send email to assignee. Fixes Issue #1154 (Mfon Eti-mfon)

  • Make it possible to provide override settings in a directory. Kiwi TCMS will respect:

    • local_settings.py
    • local_settings_dir/*.py

    For more information see https://kiwitcms.readthedocs.io/en/latest/installing_docker.html#customization

  • Allow adding TestPlan to TestCase via UI. Fixes Issue #1021

  • Add visual representation of failures in TestCase health telemetry

  • Add helper text to TestExecutionStatus admin

  • Add link to discussion forum in Help menu

API

  • TestCase.create() method no longer accepts product or product_id fields which have previously been deprecated
  • API methods which receive True/False values will no longer parse yes,no,1,0 values. The only accepted values are boolean constants defined in the calling programming language which are then transmitted via XML-RPC or JSON-RPC and converted to native boolean on the backend

Bug fixes

  • The number of search results shown per page can now be controlled via DEFAULT_PAGE_SIZE setting, which is 100 by default. Fixes Issue #1210 (Ivailo Karabojkov)
  • Use comma separated display of components in bug reports. Fixes Issue #1157 (Ivailo Karabojkov)
  • Update selector for 'Select All' test executions in TestRun page. Fixes Issue #1404
  • Fix crash when sorting test cases in TestPlan page. Fixes Sentry #KIWI-TCMS-A6
  • Fix a TC-undefined displayed in TestCase health telemetry

Refactoring

  • Add test for TestRunAdmin.change_view() (Mariyan Garvanski)
  • Remove unused showCaseRunsWithSelectedStatus
  • Internal JavaScript updates

GitHub Marketplace listing deprecation

As we've stated previously Kiwi TCMS has migrated to a new GitHub backend and OAuth tokens for the previous backend have been revoked and the existing listing on GitHub Marketplace is deprecated. It is a non-functioning app at the moment!

It is not possible for us to cancel Marketplace subscriptions programatically, that is GitHub does not provide such API. Active subscribers please follow these 3 steps to help us clean up stale information:

  • Go to https://github.com/marketplace/kiwi-tcms
  • From "Edit your plan" button at the top select your GitHub account
  • Then click "Cancel this plan" link which is at the left-hand side at the bottom of the description box!

How to upgrade

Backup first! If you are using Kiwi TCMS as a Docker container then:

cd path/containing/docker-compose/
docker-compose down
docker pull kiwitcms/kiwi
docker pull centos/mariadb-103-centos7
docker-compose up -d
docker exec -it kiwi_web /Kiwi/manage.py migrate

WHERE: docker-compose.yml has been updated from your private git repository! The file provided in our GitHub repository is an example. Not for production use!

WARNING: kiwitcms/kiwi:latest and docker-compose.yml will always point to the latest available version! If you have to upgrade in steps, e.g. between several intermediate releases, you have to modify the above workflow:

# starting from an older Kiwi TCMS version
docker-compose down
docker pull kiwitcms/kiwi:<next_upgrade_version>
edit docker-compose.yml to use kiwitcms/kiwi:<next_upgrade_version>
docker-compose up -d
docker exec -it kiwi_web /Kiwi/manage.py migrate
# repeat until you have reached latest

Happy testing!