Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rebase from ednx-release/mango.master #782

Closed
wants to merge 38 commits into from

Conversation

ErickMurillo
Copy link

No description provided.

attiyaIshaque and others added 30 commits February 24, 2022 17:17
Backport of commit b51f65d from master/ PR #30051
fix: Backport some required changes to the CI workflow
ARCHBOM-2073

Backported from master commit 7c7d7d8/PR #30112.
The versions of pylint are different on master and Maple; pylint 2.11
stops complaining about this line. Just disable the check for the
backported code.
The only use is a GET request in admin portal so this view need not be
post/put friendly right now. It may actually get removed in an upcoming
iteration, or stay readonly.

Fixes: SEC-1418

Backported from 283141a
This is a backport from parts of 29e5071 and 9fa7980; not bringing in all
of 8b77596 (rename of blacklist to ignorelist) since that would expand the
scope of this PR too much, and the next release is coming up soon anyhow.
Previously, our rate-limiting code trusted the entire `X-Forwarded-For`
header, allowing a malicious client to spoof that header and evade
rate-limiting. This commit introduces a new module and setting
allowing us to make a more conservative choice of IPs.

- Create new `openedx.core.djangoapps.util.ip` module for producing
  the IP "external chain" for requests based on the XFF header and the
  REMOTE_ADDR.
- Include a function that gives the safest choice of IPs.
- Add new setting `CLOSEST_CLIENT_IP_FROM_HEADERS` for configuring how
  the external chain is derived (i.e. setting the trust
  boundary). Currently has a default, but we may want to make it
  mandatory in the future.
- Change `django-ratelimit` code to use the proximate IP in the external
  chain -- the one just outside the trust boundary.

Also:

- Change `XForwardedForMiddleware` to use more conservative choice for
  its `REMOTE_ADDR` override
- Other adjustments to `XForwardedForMiddleware` as needed in order to
  initialize new module and support code that needs the real
  `REMOTE_ADDR` value
- Metrics for observability into the change (and XFF composition)
- Feature switch to restore legacy mode if needed

This also gives us a path forward to removing use of the django-ipware
package, which is no longer maintained and has a handful of bugs that make it
difficult to use safely.

Internal ticket: ARCHBOM-2056

Backported from a251d18
The logic here seems to work, but Django 4.0 won't install over our
other pinned requirements, so tests fail for Django 4.0.

(cherry picked from commit e7caec5)
Implements a feature flag DISABLE_UNENROLLMENT that is used to disable students un-enrollment for all courses. The Unenrollment option should be disabled when this feature is set to True.

ref: BB-4951

Co-authored-by: tinumide <[email protected]>
Co-authored-by: Tim McCormack <[email protected]>
(cherry picked from commit da4a6d6)
The target URL on logout page is marked as safe while rendering and
making the page volunerable to Cross-site scripting vulnerability.

Rendered the target variable outside safe HTML so that it should be
treated as text.

VAN-972
…ng assets (#30309)

* fix: Pin npm package @edx/studio-frontend to 1.17.0

* fix: pin npm package @edx/studio-frontend to 1.17.0 to fix missing assets issue

* fix: Update npm package @edx/studio-frontend to 1.19.1

* fix: run npm install

* fix: recreate package-lock.json
[BACKPORT] fixup! feat: options for excluding courses from search (#28518)
Backport filters that didn't make it to nutmeg release:

* Add filter before certificate creation starts

- Add filters interactions with code that used generate_certificate_task
- Add unit-testing for filters
- Upgrade to latest library update

(cherry picked from commit e8fa890)

* Add cohort change filter before moving users from cohorts

(cherry picked from commit 465e5c0)

* Add filter before certificate rendering process starts

(cherry picked from commit 7f974d1)

* Add filter before course dashboard rendering process starts

- Add dashboard filter to dashboard student's view
- Add tests/docs for filter's integration

(cherry picked from commit 895a649)

* Add filter before course about rendering process starts

(cherry picked from commit ccfa0b4)

* Integrate cohort assignment filter definition to cohort model

(cherry picked from commit ec69659)
* Add PreEnrollmentFilter
* Add PreRegisterFilter
* Add PreLoginFilter
feat: backport HomepageRenderStarted and CatalogRenderStarted filters
…lters

DS-228-backport HomepageRenderStarted and CatalogRenderStarted filters
Alec4r and others added 8 commits October 10, 2022 07:59
These changes should improve the performance caused by the file I/O
when it's running in docker, using lru_cache to save thousands of calls to listdir
when running with a handful of themes defined in COMPREHENSIVE_THEME_DIRS.
…-xblock

fix: update xblock-drag-and-drop for a high level security alert
Merge pull request #32032 from raccoongang/sagirov/tCRIL_GA-18

[FC-0014] Add GA 4 support to edX platform

Co-authored-by: Brian Mesick <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.