Version 3.8.0

Release Date: November, 2, 2022

This release focuses on highlighting some of the security concerns of the application.

Updated

  • Database

    Database scripts are now managed by a library called DbUp. It is a way to keep track of migrations and changes to anything related to the database and sql scripts without requiring things like Entity Framework Migrations.

    With this change we have removed the install.aspx page and the setup sql as they are no longer needed. See the installation page for more information on how to use DbUp.

  • Ability to write and execute SQL Statements

    In an ongoing effort to increase the security of the application we will be removing the ability to write and execute sql statements and html directly inside of the application.

    Most of the time for a production application the ability to read and write to the database is managed at the database level and restrcited to a handful of people and the application itself. Being able to execute arbitrary sql statements from inside the application can work around these policies, and in the worst of cases actually delete entire tables from the database. So we have identified some areas that have these increased security concerns and have added a warning label to the page. These will be depreciated and then fully removed in a set of future releases.

  • Custom JavaScript and HTML

    Along the same path as the sql statements, being able to add html and javascript from within the application poses a similar security risk.

    Since this is an open source application, users of this application can update their version of the source code with any custom HTML and Javascript they need. We have added warning messages to these pages and as with the sql pages, they will be depreciated and then fully removed in a set of future releases.

  • SQL showing in application

    There are a few pages where custom SQL scripts will show on a page to the end user. This is another security concern and can expose the inner workings of your application.

    We have removed these queries from showing on the page. This affected both the queries page and the search page. These will still function as before, but the actual SQL statements no longer show. This part of our security efforts.

  • Updated Password Hash

    To be more inline with current industry standards, we have updated the hashing algorithm to a more secure version. This means that the current way to check passwords no longer works, and will require all users to reset their passwords.

Fixed

Fixed an issue with the Project Detail page that was added in the 3.7.0 release. The description wasn’t being encoded properly and arbitrary html and javascript could be executed when viewing bugs related to a specific project.