1
0
mirror of https://github.com/google/nomulus synced 2026-06-09 16:33:02 +00:00
Commit Graph

97 Commits

Author SHA1 Message Date
Ben McIlwain 7c23413d83 Fix Console API and Angular XSS security flaws (#3076)
This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs:

1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation.
2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId.
3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password.
4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists (configurable, default 500) to prevent thread exhaustion.
5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults() (configurable, default 500) on JPA native queries to prevent eager loading of the entire database into memory.

Makes the history query limit and bulk domain action limit configurable via RegistryConfig, allowing smaller limits to be used in tests to avoid heavy resource persistence.

Also removes an outdated Joda-Time migration reference from GEMINI.md.
2026-06-24 20:39:42 +00:00
Pavlo Tkach d30cc202d2 Replace CSRF source from cookie to header in the console requests (#3047)
* Update XSRF cookie to be a header

* Replace CSRF cookie with header
2026-05-15 17:45:33 +00:00
Pavlo Tkach 186dd80567 Enable password reset for registrars (#2971) 2026-02-27 20:02:51 +00:00
Pavlo Tkach 49df9c325a Update angular @21 (#2965) 2026-02-24 20:08:27 +00:00
gbrodman dee132d04b Rename visibleInWhois fields to visibleInRdap (#2863)
Still part of b/454947209, removing references to WHOIS where we can. We
keep the registrar type and the column names (at least for now) because
changing those is much more complicated.
2025-11-04 17:37:44 +00:00
Pavlo Tkach fc1eb162f2 Remove Primary Contact from users editing screen (#2856) 2025-10-24 20:12:18 +00:00
Pavlo Tkach 51b579871a Anonymize support users in console history, add minor UI updates (#2851) 2025-10-17 18:57:40 +00:00
Pavlo Tkach 5700a008d6 Add console history frontend (#2832) 2025-09-26 21:25:03 +00:00
gbrodman ea148ac13e Show success message on password reset (#2826) 2025-09-16 18:39:19 +00:00
gbrodman 2b5643df4c Sort registrars list in console (#2820)
This was bugging me slightly
2025-09-05 18:44:17 +00:00
gbrodman 4738b979e4 Add FE for password-reset verification (#2795)
Tested locally and on alpha with dummy values (and throwing an
exception).

I was able to reuse a bit of code from the EPP password reset, but not
all of it.
2025-08-19 03:00:44 +00:00
gbrodman c21b66f0fb Add reset-EPP-password frontend component (#2786) 2025-08-01 19:53:20 +00:00
gbrodman 9f191e9392 Add Registry Lock password reset on front end (#2785)
This is only enabled for admins, for now at least. It sends an email to
the registry lock email address to reset it.
2025-07-28 20:23:39 +00:00
Pavlo Tkach c9ac9437fd Add java code for RegitrarPoc id (#2770) 2025-06-14 17:37:11 +00:00
Pavlo Tkach c5a39bccc5 Add Console POC reminder front-end (#2754) 2025-05-12 20:14:56 +00:00
gbrodman daa7ab3bfa Disable primary-contact editing in console (#2745)
This is necessary because we'll use primary-contact emails as a way of
resetting passwords.

In the UI, don't allow editing of email address for primary contacts,
and don't allow addition/removal of the primary contact field
post-creation.

In the backend, make sure that all emails previously added still exist.
2025-04-29 17:32:29 +00:00
Pavlo Tkach 04a0659197 Disable console whois (#2741) 2025-04-11 15:32:34 +00:00
Pavlo Tkach 98ba80d94e Remove console security settings timeout (#2728) 2025-03-25 19:36:52 +00:00
Pavlo Tkach 5645b2e218 Embed Google Sans font (#2716) 2025-03-14 19:08:12 +00:00
Pavlo Tkach 6c7bf5e5dd Enable Users and Domains actions, add email notification (#2700) 2025-02-28 21:57:49 +00:00
Pavlo Tkach ed95d19b93 Provide prompt for user deletion UI (#2684) 2025-02-21 20:30:03 +00:00
Pavlo Tkach 95831bc8b7 Add suspend / unsuspend to the console (#2675) 2025-02-14 20:41:19 +00:00
Pavlo Tkach 6c138420b0 Fix console nested routes a11y (#2669) 2025-02-05 20:45:21 +00:00
Pavlo Tkach 4ec2919ce3 Update console dependencies (#2659) 2025-01-31 21:40:37 +00:00
Pavlo Tkach 40b6984ffb Improve console screen reader interaction (#2656) 2025-01-31 16:46:25 +00:00
Pavlo Tkach 765bd9834a Add more accessible names to the console (#2652) 2025-01-29 20:19:00 +00:00
Pavlo Tkach 8987fd37c2 Improve console accessibility (#2649) 2025-01-26 00:47:53 +00:00
Pavlo Tkach e3c386a8a7 Add console bulk delete (#2641)
* Add bulk actions to console

* Add console bulk delete

* Add console bulk delete
2025-01-22 15:54:59 +00:00
Pavlo Tkach f649d960c1 Add user email prefix to the console user create (#2623) 2024-12-13 19:47:21 +00:00
Pavlo Tkach 71afc25110 Fix console new user screen layout (#2617) 2024-12-05 18:17:52 +00:00
Pavlo Tkach fa377733be Allow adding existing users to registrar (#2616) 2024-11-27 22:40:32 +00:00
Pavlo Tkach eeed166310 Add console user role update and minor fixes to delete (#2610) 2024-11-15 18:36:10 +00:00
Pavlo Tkach 35f95bbbe4 Add delete user to the console (#2603)
* Add delete user to the console

* Add delete user to the console

* Add delete user to the console
2024-11-08 18:20:01 +00:00
Pavlo Tkach 332f491ac7 Fix cut off status list on domains page (#2601) 2024-10-28 18:20:04 +00:00
Pavlo Tkach 4bd7c18fe9 Add console settings update progress status (#2596) 2024-10-25 22:23:22 +00:00
Pavlo Tkach 91e241374d Add required fields to API users().insert (#2593) 2024-10-17 19:45:12 +00:00
Pavlo Tkach 6e77c89cd6 Add console users screen (#2576) 2024-10-08 16:00:47 +00:00
gbrodman c68d54a5ed Don't show snackbar on rlock-load failure if 403 (#2574)
ACCOUNT_MANAGER users don't have permission to see locks so it'll throw
403s. That's OK, we don't need/want to display that error to the client.
2024-09-30 20:42:33 +00:00
Pavlo Tkach ab5f6cc229 Add environment support to the console build (#2539) 2024-08-30 18:31:28 +00:00
Pavlo Tkach 66513a114e Add OT&E UI to the new console (#2536) 2024-08-23 20:53:45 +00:00
gbrodman 730585cd14 Fix front-end unit tests (#2529)
This doesn't really add any tests, and we'll require many more additions
if we actually want to have full unit testing, but this at least makes
the tests pass when running `npm test`.
2024-08-21 16:39:29 +00:00
Pavlo Tkach d0d28cc7e6 Fix console contact delete button not working (#2528) 2024-08-09 16:42:39 +00:00
Pavlo Tkach 2d1260c01b Allow updating icannReferralEmail through the new console ui (#2525) 2024-08-07 16:28:08 +00:00
Pavlo Tkach fa721e82ff Mark console state field on new registrar form as required (#2509)
CodeQL / Analyze (java) (push) Failing after 58s
CodeQL / Analyze (javascript) (push) Failing after 56s
CodeQL / Analyze (python) (push) Failing after 53s
Dependency Submission / dependency-submission (push) Successful in 2m12s
2024-07-26 18:46:43 +00:00
Pavlo Tkach 213e06f02e Add registry lock ui (#2500) 2024-07-26 16:02:19 +00:00
gbrodman 233ee09efe Add simple registry-lock-verification page (#2499)
This is a fairly simple page that solely exists to display the result
from the action, and to link the user back to the domain list.
2024-07-23 19:04:35 +00:00
Pavlo Tkach 68b46735cd Prevent focus from being lost on console domains search (#2496) 2024-07-15 18:46:18 +00:00
Pavlo Tkach bfeaf4a23e Add ability to remove elements from console UI per user role (#2495) 2024-07-15 17:45:46 +00:00
Pavlo Tkach 5f9f157494 Move console global loader, fix table scroll bars (#2494) 2024-07-12 18:57:26 +00:00
gbrodman 0f0097c15c Wait to load domain list until a registrar is selected (#2485)
This isn't the worst thing in the world but it does result in a bad
request to the server otherwise, and log/error spam. So, only load the
domains list if we have a registrar selected.
2024-06-25 18:39:53 +00:00