1
0
mirror of https://github.com/Unleash/unleash.git synced 2025-01-06 00:07:44 +01:00
Commit Graph

11164 Commits

Author SHA1 Message Date
Gard Rimestad
685489b9ad
docs: Clarify edge proximity to users (#5601)
A benefit of hosting your own edge instance is that it will be as close
to end users as you are.

---------

Co-authored-by: Thomas Heartman <thomas@getunleash.io>
2023-12-12 12:35:57 +01:00
Gard Rimestad
b9748e0ad6
docs: proxy-hosting link to what frontend api is (#5602)
Adding links to definition of what frontend api is. Can be confusing for
new users to read without seing what it is.

---------

Co-authored-by: Thomas Heartman <thomas@getunleash.io>
2023-12-12 12:35:09 +01:00
Jaanus Sellin
386c4baa86
feat: keep filters ordered based on user selection (#5609) 2023-12-12 13:01:23 +02:00
Mateusz Kwasniewski
850b78a699
fix: show popover on empty state (#5611) 2023-12-12 11:40:00 +01:00
Ivar Conradi Østhus
43c563af57
fix: optimize headers we return for API calls. (#5607)
Today we include a lot of "secutiry headers" for all API calls. Quite a
lot of them are only relevent when we return a HTML document for the
browser.

This PR removes and simplify these headers for API calls, so that we do
not include unecessary data in the HTTP headers.

Each header have been carfully examied by following best practices from
these source:

-
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
- https://owasp.org/www-project-secure-headers/

This feature is protected with feature flag named 'stripHeadersOnAPI'.
2023-12-12 10:20:28 +01:00
Mateusz Kwasniewski
eebe43fcb1
feat: show dropdown immediately (#5606) 2023-12-12 09:27:50 +01:00
Mateusz Kwasniewski
e88beff2b2
feat: do not cache old search and filter results (#5600) 2023-12-12 08:47:57 +01:00
andreas-unleash
e02c252636
fix: show Changes scheduled badge for strategies even if change reque… (#5599)
show Changes scheduled badge for strategies even if change requests are
disabled

Closes #
[1-1745](https://linear.app/unleash/issue/1-1745/show-changes-scheduled-badge-in-strategy-item-even-if-change-requests)

---------

Signed-off-by: andreas-unleash <andreas@getunleash.ai>
2023-12-12 09:30:57 +02:00
Ivar Conradi Østhus
abf540a1cc
fix: add 'Vary: Origin' header to cors response 2023-12-12 08:05:43 +01:00
Nnenna Ndukwe
7d40ded3c3
Intro React Tutorial (#5579)
## About the changes
Adding in an initial React tutorial with Unleash! This includes
installing Unleash, creating a React application with Vite, then
integrating Unleash to use with a CSS-focused feature toggle.


### Important files

- New File:
`website/docs/feature-flag-tutorials/react/implementing-feature-flags.md`
- Added new tutorial to navigation in `sidebars.js` and
`docusaurus.config.js`



There is a lot of room to make more advanced use case additions to this
React tutorial. For example, addressing SSR.
I think that'd be good for a future iteration to be helpful to the
community.
2023-12-11 12:07:50 -06:00
Christopher Kolstad
18ea7349c6
feat: add created_by to api_tokens table (#5596)
Adds a migration for adding created_by column to the api_tokens table.
2023-12-11 15:41:36 +01:00
Christopher Kolstad
150e6b03dc
feat: add column created_by to roles table (#5595)
Tracking who creates roles
2023-12-11 15:40:17 +01:00
Christopher Kolstad
4f7b3aa759
feat: add column created_by to role_user table (#5594)
As it says in the title. Adds a created_by column to the role_user table
to more easily track who's doing what.
2023-12-11 15:40:02 +01:00
Christopher Kolstad
0f250ba06c
feat: add created_by to role_permission table (#5592)
As it says on the tin. In an attempt to make all operations in Unleash
traceable to an originator. This PR adds created_by to role_permission,
which will show which user assigned a permission to a role.
2023-12-11 15:39:44 +01:00
Christopher Kolstad
ed220c0b89
feat: add column created_by to users table (#5597) 2023-12-11 15:39:07 +01:00
Jaanus Sellin
74f6f15247
feat: do not show project if not multiple projects exist (#5598) 2023-12-11 16:02:10 +02:00
David Leek
5b6a26a828
chore: migration for features created by (#5593)
Contains the migration that adds the column created_by to `features`
2023-12-11 14:58:23 +01:00
David Leek
427abbd8d1
chore: add migration for adding created_by to feature_types table (#5591)
Contains the migration that adds the column created_by to
`feature_types`
2023-12-11 14:57:58 +01:00
David Leek
0f1b89b259
chore: add migration for adding created_by to feature_tag table (#5590)
## About the changes

Contains the migration that adds the column created_by to `feature_tag`
2023-12-11 14:57:40 +01:00
David Leek
27732274a3
chore: add migration for adding created_by to feature_strategies table (#5589)
## About the changes

Contains the migration that adds the column created_by to
`feature_strategies`
2023-12-11 14:57:18 +01:00
Fredrik Strand Oseberg
9dbb7ea9a9
feat: add initial setup for tabs (#5586)
This PR sets up the initial tab structure for the new strategy form
2023-12-11 13:39:21 +01:00
Tymoteusz Czech
d11aedc12f
Project Overview with react-table v8 (#5571) 2023-12-11 13:33:11 +01:00
Mateusz Kwasniewski
ba50d1ef69
feat: adjust styling for search filters (#5587) 2023-12-11 13:11:26 +01:00
Jaanus Sellin
9bae14a2cc
feat: add tags filter (#5584) 2023-12-11 14:10:03 +02:00
Jaanus Sellin
e8f19e6341
fix: added stronger tag validations (#5585)
Now it is impossible to filter based on invalid tag syntax.
2023-12-11 13:34:51 +02:00
Fredrik Strand Oseberg
ec670450fd
feat: initial setup (#5583)
This PR sets up the feature flag for the new strategy configuration and
duplicates the components for the new setup
2023-12-11 12:23:18 +01:00
andreas-unleash
2322e1149a
feat: more info on staleness in health report (#5582)
Adds an info tooltip for potentially stale and a link to configure
feature toggle type lifetime


Closes
[UNL-215](https://linear.app/unleash/issue/UNL-215/improve-health-page-with-some-guidance-about-staleness)
<img width="1323" alt="Screenshot 2023-12-11 at 11 39 36"
src="https://github.com/Unleash/unleash/assets/104830839/386ec6e6-55df-42ca-b5e0-ef3e75448452">

<img width="1316" alt="Screenshot 2023-12-11 at 11 43 07"
src="https://github.com/Unleash/unleash/assets/104830839/5bf7df15-ff87-4ce0-be25-0c031c881d05">

---------

Signed-off-by: andreas-unleash <andreas@getunleash.ai>
2023-12-11 13:11:28 +02:00
Thomas Heartman
fb5a487663
feat: add schema for change request strategies (#5578)
This change adds a property to the segmentStrategiesSchema to make sure
that change request strategies are listed in the openapi spec

It also renames the files that contains that schema and its tests from
`admin-strategies-schema` to `segment-strategies-schema`.
2023-12-11 11:01:47 +00:00
Thomas Heartman
0060697c01
docs: document how segment conflicts are handled (#5577)
As discovered in the recent segments breakathon, the docs aren't very
clear about how conflicts are handled. This PR better documents when
they can't be deleted or moved. It also mentions the edge case where a
segment is used in an archived flag (it still can't be deleted, so you
must either delete the flag, or revive it and remove the segment)
2023-12-11 11:47:23 +01:00
Jaanus Sellin
5d80f5fa4d
feat: test filter date item (#5576) 2023-12-11 12:22:00 +02:00
Thomas Heartman
879e4c98e5
feat: show potential schedule conflicts when you archive flags (#5575)
Show change requests that would be impacted by an archive operation


![image](https://github.com/Unleash/unleash/assets/17786332/7b2af89a-7292-4b90-b7a4-768df375e0fb)
2023-12-11 10:45:45 +01:00
Ivar Conradi Østhus
9508c79451
fix: remove secure headers on local dev 2023-12-08 19:51:12 +01:00
Tymoteusz Czech
e5c865b716
fix: menu routes for new features page - mobile option (#5566)
Remove duplicated option in the menu.
2023-12-08 14:53:10 +02:00
Thomas Heartman
cd731cef03
refactor: update the API url for getting scheduled change requests with a strategy (#5573)
Relates to enterprise PR 889; update the API url
2023-12-08 12:29:54 +01:00
Jaanus Sellin
166432bcb0
feat: support localization in date filter (#5572) 2023-12-08 13:20:39 +02:00
Ivar Conradi Østhus
b6f1929efb
Poc/strip client headers on 304 (#5574)
To reduce traffic returned on 304.
2023-12-08 12:14:37 +01:00
Jaanus Sellin
1173b664da
feat: add created date filter component (#5569) 2023-12-08 10:07:57 +02:00
dependabot[bot]
896202e5ae
chore(deps): bump @adobe/css-tools from 4.3.1 to 4.3.2 in /frontend (#5517)
Bumps [@adobe/css-tools](https://github.com/adobe/css-tools) from 4.3.1
to 4.3.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/adobe/css-tools/blob/main/History.md"><code>@​adobe/css-tools</code>'s
changelog</a>.</em></p>
<blockquote>
<h1>4.3.2 / 2023-11-28</h1>
<ul>
<li>Fix redos vulnerability with specific crafted css string -
CVE-2023-48631</li>
<li>Fix Problem parsing with :is() and nested :nth-child() <a
href="https://redirect.github.com/adobe/css-tools/issues/211">#211</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/adobe/css-tools/commits">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@adobe/css-tools&package-manager=npm_and_yarn&previous-version=4.3.1&new-version=4.3.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/Unleash/unleash/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-07 13:00:07 +01:00
Simon Hornby
0e5861ac33
chore: use explicit images for inverted operator rather than a boolean not operator (#5565) 2023-12-07 13:03:19 +02:00
Jaanus Sellin
e89ebf358e
refactor: split filter configuration with filter visibility state (#5563)
This PR splits the filter configuration with filter visibility state.
This will simplify adding different filter types in future, for example
date filters.
2023-12-07 11:59:35 +02:00
Mateusz Kwasniewski
38d02e1a85
feat: segments operators (#5562) 2023-12-06 17:38:36 +02:00
Thomas Heartman
a228f54344
feat: show scheduled CRs using strategies when removing it (#5560)
Show a warning about how deleting a strategy might mess up scheduled
change requests.

If there are change requests, list them. If there are no conflicts, show
nothing. If we don't know (because of no successful response from the
API), say that it might cause issues.


![image](https://github.com/Unleash/unleash/assets/17786332/2c6a4257-69f5-458a-ab6f-9b2ea2f5d550)
2023-12-06 15:39:17 +01:00
Mateusz Kwasniewski
87ebbb0fa2
feat: segments filter (#5558)
Co-authored-by: sjaanus <sellinjaanus@gmail.com>
2023-12-06 14:50:18 +02:00
Jaanus Sellin
eda4186a6c
fix: state now persist to filters (#5559)
When navigating to features list, now it will respect the query params.
2023-12-06 14:17:49 +02:00
Jaanus Sellin
d9648de08d
chore: rename is not any of to is none of (#5544) 2023-12-06 12:53:51 +02:00
Jaanus Sellin
eb43d37379
feat: segment cell and orval types (#5543) 2023-12-06 12:51:00 +02:00
Jaanus Sellin
b8fabbd726
feat: add new filter button with state (#5556)
[Screencast from 2023-12-05
16-59-28.webm](https://github.com/Unleash/unleash/assets/964450/793c771b-6246-4e28-8c13-920696a48bd5)

---------

Co-authored-by: kwasniew <kwasniewski.mateusz@gmail.com>
2023-12-06 12:50:33 +02:00
andreas-unleash
12f79f90bb
feat: Scheduled change conflict email templates and function (#5547)
Creates a new email template for scheduled change conflicts and a
function to send it.

Relates to:
#[1-1686](https://linear.app/unleash/issue/1-1686/send-an-email-when-the-conflicts-are-detected)


![Screenshot 2023-12-05 at 16 55
51](https://github.com/Unleash/unleash/assets/104830839/4d37527e-bb83-4ac5-9437-09b6ab08c979)

---------

Signed-off-by: andreas-unleash <andreas@getunleash.ai>
Co-authored-by: Thomas Heartman <thomas@getunleash.io>
2023-12-06 11:57:19 +02:00
Mateusz Kwasniewski
da1a9d4036
test: Filter item test (#5557) 2023-12-06 09:10:15 +01:00
renovate[bot]
55e8073e3c
chore(deps): update dependency vite to v4.5.1 [security] (#5554)
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev)
([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) |
[`4.5.0` -> `4.5.1`](https://renovatebot.com/diffs/npm/vite/4.5.0/4.5.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/4.5.0/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/4.5.0/4.5.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2023-49293](https://togithub.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97)

### Summary
When Vite's HTML transformation is invoked manually via
`server.transformIndexHtml`, the original request URL is passed in
unmodified, and the `html` being transformed contains inline module
scripts (`<script type="module">...</script>`), it is possible to inject
arbitrary HTML into the transformed output by supplying a malicious URL
query string to `server.transformIndexHtml`.

### Impact
Only apps using `appType: 'custom'` and using the default Vite HTML
middleware are affected. The HTML entry must also contain an inline
script. The attack requires a user to click on a malicious URL while
running the dev server. Restricted files aren't exposed to the attacker.

### Patches
Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12

### Details
Suppose `index.html` contains an inline module script:

```html
<script type="module">
  // Inline script
</script>
```

This script is transformed into a proxy script like

```html
<script type="module" src="/index.html?html-proxy&index=0.js"></script>
```

due to Vite's HTML plugin:


7fd7c6cebf/packages/vite/src/node/plugins/html.ts (L429-L465)

When `appType: 'spa' | 'mpa'`, Vite serves HTML itself, and
`htmlFallbackMiddleware` rewrites `req.url` to the canonical path of
`index.html`,


73ef074b80/packages/vite/src/node/server/middlewares/htmlFallback.ts (L44-L47)

so the `url` passed to `server.transformIndexHtml` is `/index.html`.

However, if `appType: 'custom'`, HTML is served manually, and if
`server.transformIndexHtml` is called with the unmodified request URL
(as the SSR docs suggest), then the path of the transformed `html-proxy`
script varies with the request URL. For example, a request with path `/`
produces

```html
<script type="module" src="/@&#8203;id/__x00__/index.html?html-proxy&index=0.js"></script>
```

It is possible to abuse this behavior by crafting a request URL to
contain a malicious payload like

```
"></script><script>alert('boom')</script>
```

so a request to
http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E
produces HTML output like

```html
<script type="module" src="/@&#8203;id/__x00__/?"></script><script>alert("boom")</script>?html-proxy&index=0.js"></script>
```

which demonstrates XSS.

### PoC

- Example 1. Serving HTML from `vite dev` middleware with `appType:
'custom'`
- Go to
https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=dev-html
    - "Open in New Tab"
- Edit URL to set query string to
`?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E` and
navigate
    - Witness XSS:
-
![image](https://user-images.githubusercontent.com/2456381/287434281-13757894-7a63-4a73-b1e9-d2b024c19d14.png)
- Example 2. Serving HTML from SSR-style Express server (Vite dev server
runs in middleware mode):
- Go to
https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=server
    - (Same steps as above)
- Example 3. Plain `vite dev` (this shows that vanilla `vite dev` is
_not_ vulnerable, provided `htmlFallbackMiddleware` is used)
- Go to
https://stackblitz.com/edit/vitejs-vite-9xhma4?file=main.js&terminal=dev
    - (Same steps as above)
    - You should _not_ see the alert box in this case

### Detailed Impact

This will probably predominantly affect [development-mode
SSR](https://vitejs.dev/guide/ssr#setting-up-the-dev-server), where
`vite.transformHtml` is called using the original `req.url`, per the
docs:


7fd7c6cebf/docs/guide/ssr.md (L114-L126)

However, since this vulnerability affects `server.transformIndexHtml`,
the scope of impact may be higher to also include other ad-hoc calls to
`server.transformIndexHtml` from outside of Vite's own codebase.

My best guess at bisecting which versions are vulnerable involves the
following test script

```js
import fs from 'node:fs/promises';
import * as vite from 'vite';

const html = `
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    <script type="module">
      // Inline script
    </script>
  </body>
</html>
`;
const server = await vite.createServer({ appType: 'custom' });
const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html);
console.log(transformed);
await server.close();
```

and using it I was able to narrow down to #&#8203;13581. If this is
correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher
(which includes 4.4.0).

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v4.5.1`](https://togithub.com/vitejs/vite/releases/tag/v4.5.1)

[Compare
Source](https://togithub.com/vitejs/vite/compare/v4.5.0...v4.5.1)

Please refer to
[CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.1/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44MS4zIiwidXBkYXRlZEluVmVyIjoiMzcuODEuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-12-06 00:30:39 +00:00