Skip to content

[bot] Merge 26.7 to develop#661

Merged
github-actions[bot] merged 4 commits into
developfrom
fb_bot_merge_26.7
Jul 8, 2026
Merged

[bot] Merge 26.7 to develop#661
github-actions[bot] merged 4 commits into
developfrom
fb_bot_merge_26.7

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Generated automatically.
Merging changes from: bf07c79
Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
Verify all PRs before approving: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=fb_bot_merge_26.7

vagisha and others added 4 commits July 1, 2026 18:34
#### Changes
**Test actions globally swap the NcbiPublicationSearchService singleton with no audit event (Informational)**
* The three Selenium-test support actions (`SetupMockNcbiServiceAction`, `RestoreNcbiServiceAction`, `RegisterMockPublicationAction`) swap a process-wide singleton. They are @RequiresSiteAdmin but otherwise reachable in production, and extended ReadOnlyApiAction, which does no CSRF check and is reachable by a plain GET. 
* Added `requireDevModeForMockNcbiService()`: the actions now return 404 on a non-dev-mode server. Dev machines and TeamCity run in dev mode, so tests are unaffected.
* Changed the three actions from `ReadOnlyApiAction` to `MutatingApiAction`, since they mutate global state, which also requires a POST with a CSRF token.
* The report suggested adding an audit event or compiling these out of production builds. On review we found that gating them to dev mode is a better fix, since it removes the production attack surface entirely rather than just recording the swap.

**Uses System.out instead of Log4J2 (Informational)**
* `ExperimentModificationGetter`: removed System.out helpers printStructuralMod and printIsotopicMod and their call sites.

**Tests**
* `PublicationSearchTest`: invoke the three mock-NCBI actions with `SimplePostCommand `instead of `SimpleGetCommand`.
#### Changes
***Stored XSS (High) - result views and email preview**
* failureDetail.jsp: HTML-encode the failure language and stack trace
* runDetail.jsp: render the run log/xml popup via a `<pre>` textContent node instead of document.write of concatenated HTML.
* trainingdata.jsp: render the daily-email preview in a sandboxed iframe (scripts disabled, opaque origin) instead of document.write of the raw email HTML.

**Transaction and SQL handling (Medium)**
* ChangeBoundaries.execute: wrapped the GlobalSettings update transaction in try-with-resources so it cannot leak on an exception before commit, and parameterized the INSERT with bind parameters.

**Daily email output encoding (Low)**
* SendTestResultsEmail.getHTMLEmail: HTML-encode the git hash, missing-user name,  problem-table computer name, and test name.

**Logging hygiene (Low)**
* Replaced all five e.printStackTrace() calls with Log4J2 logging that includes the exception.

**Tests**
* Added testViewLogPopup, which opens the run-log popup and asserts the stored log is displayed (the existing tests only exercised the ViewLog API).
@github-actions github-actions Bot merged commit ec34e9f into develop Jul 8, 2026
7 checks passed
@github-actions github-actions Bot deleted the fb_bot_merge_26.7 branch July 8, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants