Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity Server 8 - Release/8.0.4 #34

Merged
merged 64 commits into from
Feb 17, 2024
Merged

Identity Server 8 - Release/8.0.4 #34

merged 64 commits into from
Feb 17, 2024

Conversation

alexhiggins732
Copy link
Owner

@alexhiggins732 alexhiggins732 commented Feb 17, 2024
edited
Loading

Identity Server 8 - Release [8.0.4] - 2024-02-17

Identity Server 8.0.4 is a security release that addresses hundreds of security vulnerabilities in the IdentityServer8 code base. We recommend that you update to this version.

Fix over 100+ security vulnerabilities in the IdentityServer8 code base:
#17 Unsafe expansion of self-closing HTML tag
#18 URL redirection from remote source
#19 DOM text reinterpreted as HTML
#20 Incomplete string escaping or encoding
#21 Inefficient regular expression bug dependencies
#22 Bad HTML filtering regexp bug dependencies
#23 User-controlled bypass of sensitive method bug
#24 Unsafe jQuery plugins bug dependencies

Additionally, the codebase has been refactored to use the latest DotNet 8 features and best practices.

This includes refactoring in #25 and consolidation of reused code that removes and additional 250,000 lines of code, bringing the total lines of redundant code removed from the codebase to 1 million lines of code from the base. Unit Test code coverage is now at 90% of the main code base.

  • Convert Top Level usings
  • Convert Implicit usings.
  • Samples use shared API and MVC projects to reduce code duplication and need to maintain dozens of copies of the same cod

@alexhiggins732
Update old clients to DotNet 8 and use LibMan for client side packages
cf090eb
@alexhiggins732
Untrack client packages in old MVC client samples.
11363c9
@alexhiggins732
Update .gitignore.
59b8e7f
@alexhiggins732
delete client packages
29b1b9a
@alexhiggins732
Merge develop into feature/upgrade-old-clients.
593c3cb
@alexhiggins732
Merge pull request #15 from alexhiggins732/feature/upgrade-old-client…
9616ecb 
…s-to-dotnet8

Feature/upgrade old clients to dotnet8
@alexhiggins732
Guard against Xss in Redirect.cshtml using signin-redirect.js
1c05069
@alexhiggins732
Merge branch 'develop' of https://github.com/alexhiggins732/IdentityS…
484454b 
…erver8 into develop
@alexhiggins732
All Redirect Service pipeline to injection Allowed Redirect Validatio…
46b48da 
…n of return urls supplied by user input.
@alexhiggins732
Sanitize redirect url from user input.
41de59f
@alexhiggins732
Add sanitization for relative and absolute uris.
a4134f6
@alexhiggins732
Apply Security fixes to Quickstart Consent and Account Controllers an…
ba7e242 
…d Login view.
@alexhiggins732
Convert top level usings in made code base.
ca681f4
@alexhiggins732
Convert Security and Storage Projects to Implicit Usings.
07cada2
@alexhiggins732
Publish alpha build.
e848f84
@alexhiggins732
Merge branch 'feature/implicit-usings' into develop
734db87
@alexhiggins732
Remove additional client frameworks.
759b6a6
@alexhiggins732
Normalize Line Endings
83274fc
@alexhiggins732
Convert IdentityServer main project to implicit usings.
b89c0c6
@alexhiggins732
Implicit Usings Identity Server Host and lint code cleanup.
511189e
@alexhiggins732
Convert IdentityServer.EntityFramework to implicit usings.
19b62e6
@alexhiggins732
Convert EntityFramework.Storage Migrations\SqlServer to implicit usings.
055592d
@alexhiggins732
Convert IdentityServer.EntityFramework.Storage.ConsoleHost to Implici…
4fd8b70 
…tUsings.
@alexhiggins732
Convert IdentityServer.EntityFramework library to ImplicitUsings.
21f820c
@alexhiggins732
Convert IdentityServer.AspNetIdentity to ImplicitUsings.
b9183cd
@alexhiggins732
Convert IdentityServer.AspnetIdentity.Host to ImplicitUsings.
d0c5d6a
@alexhiggins732
Convert IdentityServer.AspNetIdentity.Sqlerver.Migrations to Implicit…
55b3af4 
…Usings
@alexhiggins732
Update license header.
24e457a
@alexhiggins732
Merge pull request #16 from alexhiggins732/feature/implicit-usings
e60b751 
Feature/implicit usings
@alexhiggins732
#25 Convert clients to Dotnet 8 top-level with solution wide GlobalUs…
10e9a92 
…ings
@codecov Codecov
Copy link

codecov bot commented Feb 17, 2024

Welcome to Codecov 🎉

Once merged to your default branch, Codecov will compare your coverage reports and display the results in this comment.

Thanks for integrating Codecov - We've got you covered ☂️

@alexhiggins732 alexhiggins732 merged commit b0d1155 into master Feb 17, 2024
8 checks passed
@alexhiggins732 alexhiggins732 self-assigned this Feb 17, 2024
@alexhiggins732 alexhiggins732 added bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request dependencies Pull requests that update a dependency file labels Feb 17, 2024
This was linked to issues Feb 17, 2024
Identity Server Security Bug: Unsafe expansion of self-closing HTML tag #17
Closed
Identity Server Security Bug: DOM text reinterpreted as HTML #19
Open
Identity Server Security Bug: Incomplete string escaping or encoding #20
Open
Identity Server Security Bug: Inefficient regular expression #21
Open
Identity Server Security Bug: Bad HTML filtering regexp #22
Open
Identity Server Security Bug: Unsafe jQuery plugins #24
Open
Upgrade IdentityServer8 Samples To Use DotNet 8 Style Projects #25
Open
Identity Server 8 Support #26
Closed
IdentityServer8 Documentation on the ReadTheDocs - identityServer8.readthedocs.io #27
Open
@alexhiggins732 alexhiggins732 mentioned this pull request Feb 17, 2024
Closed
11 tasks
@alexhiggins732 alexhiggins732 mentioned this pull request Feb 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@alexhiggins732 alexhiggins732

Labels
bug Something isn't working dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
Patched DotNet8 Top-Level Statements ...
1 participant
@alexhiggins732