Activités de "nhontran"

Tout Question Répondre
Le plus récent Le plus ancien
Cross-site scripting issue found in our project #4623
Question

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Hi, a cross-site scripting issue has been flagged out in our project by penetration test team. This vulnerability is related to "__tenant" parameter in query string:

Subject:

Reflected Cross-Site Scripting (XSS)

https://<masked url>/api/* [GET parameter: __tenant]
https://<masked url>/identity/* [GET parameter: __tenant]

Description:

Reflected XSS occurs when malicious JavaScript code is supplied in a user’s request and returned back to them for
execution within their browser in the context of the website itself. This allows an attacker to inject code which is executed
by legitimate users when they are tricked into opening a malicious link or visiting a site under an attacker’s control. This
allows an attacker to perform unauthorised actions in the application on behalf of legitimate users or spread malware via
the application.

The __tenant parameter used in the identified subjects is vulnerable to XSS attacks. An example is demonstrated below:

Payload used:

Attached file is the screenshot that I have tested in my local:

Unable to create new post #4622
Question

Hi, I am unable to create new post, keep getting "access has been blocked"

Unable to use text template in module template #4284
Question
  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Hi, I have followed all the steps below to add the text template file (*.tpl) into the module project: https://docs.abp.io/en/abp/latest/Text-Templating-Scriban

However, I got the below error when running in IIS (debugging with visual studio is Ok):

2023-01-05 12:23:08.235 +08:00 [ERR] Could not find a file/folder at the location: /Templates/Testing1.tplVolo.Abp.AbpException: Could not find a file/folder at the location: /Templates/Testing1.tpl

This issue does not happen with Application template, is there any step that I missed?

How to replace Identity Server 4 with another OpenID provider? #4234
Question

Hi, we are using ABP 5.2.2 and we plan to move from IdentityServer4 to AWS Cognito (OpenID provider provided by AWS), but we don't know where to start and anything that we need to take into consideration. Could you please give me the high-level tasks that we need to do for this kind of replacement?

How to throw BusinessException with message without error code? #4176
Question

Hi, I want to throw BusinessException with custom message without passing the error code or using error code does not exist in en.json:

// no error code
throw new BusinessException(null, "custom error message", null);

// error code does not exist
throw new BusinessException("NoErrorCode", "custom error message", null);

But received the output as below:

// no error code
{
  "error": {
    "code": null,
    "message": "An internal error occurred during your request!",
    "details": null,
    "data": {},
    "validationErrors": null
  }
}

// error code does not exist
{
  "error": {
    "code": "NoErrorCode",
    "message": "An internal error occurred during your request!",
    "details": null,
    "data": {},
    "validationErrors": null
  }
}

Any idea?

How to remove the unused claims in access token? #3858
Question
  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes / no
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, I want to remove the "unique_name" and "preferred_username" claims in the access token but could not figure out how to do it, I have tried to remove all the claims in Api Resources, but these claims still exist.

any idea how to remove it?

Issue with Content-Security-Policy after upgrade to Abp 5 #3749
Question
  • ABP Framework version: v5.2.2.
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, we have upgraded our solution to Abp 5.2.2 and got 1 issue when accessing the TenantSwitchModal, we are not allowed to add 'unsafe-eval' into script-src due to security test, below is our CSP:

default-src 'self'; script-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;

Could you please help us take a look and advise?

Abp 5 does not support IE browser #3632
Question
  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, we are having issue when upgrade our project from ABP 3.3.2 to 5.2.2, it does not work on IE browser, I know IE browser has ended support but one group of our users still require it for now.

Could you please advise us how to fix this issue?

Issue with Content-Security-Policy after upgrade to Abp 5 #3578
Question
  • ABP Framework version: v5.2.2.
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, we have upgraded our solution to Abp 5.2.2 and got 1 issue when accessing the TenantSwitchModal, we are not allowed to add 'unsafe-eval' into script-src due to security test, below is our CSP:

default-src 'self'; script-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;

Could you please help us take a look and advise?

Unable to add module into existing solution #3388
Question
  • ABP Framework version: v5.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, I have tried to add the CMS Kit module into my existing solution but getting this error:

C:\Users\Admin\source\repos\AbpModuleTemplate>abp add-module Volo.CmsKit.Pro
[10:48:41 INF] ABP CLI (https://abp.io)
[10:48:41 INF] Version 5.2.2 (Stable)
[10:48:42 WRN] ABP CLI has a newer stable version 5.3.1, please update to get the latest features and fixes.
[10:48:42 WRN]
[10:48:42 WRN] Update Command:
[10:48:42 WRN] dotnet tool update -g Volo.Abp.Cli
[10:48:42 WRN]
[10:48:43 INF] Installing module 'Volo.CmsKit.Pro' to the solution 'AbpModuleTemplate'
[10:48:43 INF] Checking installed npm global packages...
Build started...
Build succeeded.
Your startup project 'AbpModuleTemplate.EntityFrameworkCore' doesn't reference Microsoft.EntityFrameworkCore.Design. This package is required for the Entity Framework Core Tools to work. Ensure your startup project is correct, install the package, and try again.

I am using the totally new startup template solution, no customization at all. any idea?

Affichage de 11 à 20 sur 60 entrées
Made with ❤️ on ABP v8.2.0-preview Updated on mars 25, 2024, 15:11