This commit addresses the following security vulnerabilities identified in the recent audit of the Console App and Backend APIs: 1. Angular XSS: Removed unsafe [innerHTML] bindings across all console-webapp templates (Contact, Registrars, Registrar Details, Users List) in favor of standard Angular interpolation. 2. Broken Access Control (IDOR): PasswordResetRequestAction and PasswordResetVerifyAction now explicitly verify that the target user's email belongs to the authorized registrarId. 3. Missing Permission Check: ConsoleEppPasswordAction now explicitly checks for CONFIGURE_EPP_CONNECTION permission before updating the EPP password. 4. Denial of Service (DoS): ConsoleBulkDomainAction now strictly limits the size of bulk domain lists (configurable, default 500) to prevent thread exhaustion. 5. Denial of Service (OOM): ConsoleHistoryDataAction now uses .setMaxResults() (configurable, default 500) on JPA native queries to prevent eager loading of the entire database into memory. Makes the history query limit and bulk domain action limit configurable via RegistryConfig, allowing smaller limits to be used in tests to avoid heavy resource persistence. Also removes an outdated Joda-Time migration reference from GEMINI.md.
ConsoleWebapp
A web application for managing Nomulus.
Status
Console webapp is currently under active development and some parts of it are expected to change.
Deployment
The webapp is deployed as part of the default Nomulus GKE service image. During the image build task, the Gradle script triggers the following:
- Console webapp build script
buildConsoleWebapp, which installs dependencies, assembles a compiled ts -> js, minified, optimized static artifact (html, css, js) - Artifact assembled in step 1 then gets copied to the jetty webapp resource location, so that it can be staged inside the default GKE service container.
Development server
Run npm run start:dev to start both webapp dev server and API server instance.
Navigate to http://localhost:4200/. The application will automatically reload
if you change any of the source files.
Code scaffolding
Run ng generate component component-name to generate a new component. You can
also use ng generate directive|pipe|service|class|guard|interface|enum|module.
Build
Run ng build to build the project. The build artifacts will be stored in
the dist/ directory.
Running unit tests
Run ng test to execute the unit tests
via Karma.
Running end-to-end tests
Run ng e2e to execute the end-to-end tests via a platform of your choice. To
use this command, you need to first add a package that implements end-to-end
testing capabilities.
Further help
To get more help on the Angular CLI use ng help or go check out
the Angular CLI Overview and Command Reference page.