Activities of "jogoertzen"

• ABP Framework version: v4.3.3
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace:

There is no exception message, but the auth-server logs contain the following information that seems to indicate that the user is not authorized to access /api/account/profile-picture.

[auth-server_f3e6eab0-2]: [14:36:07 INF] Request starting HTTP/1.1 POST https://localhost:44322/api/account/profile-picture application/json 822772
[auth-server_f3e6eab0-2]: [14:36:07 INF] CORS policy execution successful.
[auth-server_f3e6eab0-2]: [14:36:07 DBG] CORS request made for path: /api/account/profile-picture from origin: http://localhost:4200 but was ignored because path was not for an allowed IdentityServer CORS endpoint
[auth-server_f3e6eab0-2]: [14:36:07 INF] No CORS policy found for the specified request.
[auth-server_f3e6eab0-2]: [14:36:07 INF] Authorization failed. These requirements were not met:
[auth-server_f3e6eab0-2]: DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
[auth-server_f3e6eab0-2]: [14:36:07 INF] AuthenticationScheme: Identity.Application was challenged.
[auth-server_f3e6eab0-2]: [14:36:07 INF] Request finished HTTP/1.1 POST https://localhost:44322/api/account/profile-picture application/json 822772 - 302 0 - 8.0785ms

• Steps to reproduce the issue:
  • Generate a new microservice solution via abp suite v4.3.3 with the options below

• Run out\MyProject\etc\docker\up.ps1
• Run tye run in out\MyProject
• Open Chrome browser on http://localhost:4200
• Login as admin / 1q2w3E*
• Click admin > Manage your profile > Profile picture > Upload File > Choose File > Pick an image file > Save Changes > Yes
• Observe error below

Note: The Microsoft.EntityFrameworkCore.Tools package was recently upgraded to 5.0.8 which seemed to cause version conflicts with 5.0.7 during the build. I worked around the issue by downgrading to 5.0.7 and editing any .csproj files that contained version 5.0.* and replaced them with 5.0.7 explicitly.

They were also able to provide a screenshot from the paloalto Threat Vault. :)

They gave me this: https://nvd.nist.gov/vuln/detail/CVE-2010-1812

Thanks, albert.

I reached out to our firewall team to see if they can provide the report you requested.

Running this command...

abp new Foo -t app-pro

...results in this error.

[14:59:07 INF] ABP CLI (https://abp.io)
[14:59:08 INF] Version 4.3.3 (Stable)
[14:59:09 INF] Creating your project...
[14:59:09 INF] Project name: Foo
[14:59:09 INF] Template: app-pro
[14:59:09 INF] Output folder: C:\Users\jogoertzen\temp1
[14:59:11 INF] Downloading template: app-pro, version: 4.3.3
Error occured while downloading source-code from https://abp.io/api/download/template/ :
Error while copying content to a stream.
[14:59:43 ERR] Error while copying content to a stream.
System.Net.Http.HttpRequestException: Error while copying content to a stream.
 ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..
 ---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
   --- End of inner exception stack trace ---
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.GetResult(Int16 token)
   at System.Net.Security.SslStream.ReadAsyncInternal[TIOAdapter](TIOAdapter adapter, Memory`1 buffer)
   at System.Net.Http.HttpConnection.FillAsync(Boolean async)
   at System.Net.Http.HttpConnection.CopyToContentLengthAsync(Stream destination, Boolean async, UInt64 length, Int32 bufferSize, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnection.ContentLengthReadStream.CompleteCopyToAsync(Task copyTask, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionResponseContent.SerializeToStreamAsync(Stream stream, TransportContext context, CancellationToken cancellationToken)
   at System.Net.Http.HttpContent.LoadIntoBufferAsyncCore(Task serializeToStreamTask, MemoryStream tempBuffer)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpContent.LoadIntoBufferAsyncCore(Task serializeToStreamTask, MemoryStream tempBuffer)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at Volo.Abp.Cli.ProjectBuilding.AbpIoSourceCodeStore.DownloadSourceCodeContentAsync(SourceCodeDownloadInputDto input) in D:\ci\Jenkins\workspace\abp-framework-release\abp\framework\src\Volo.Abp.Cli.Core\Volo\Abp\Cli\ProjectBuilding\AbpIoSourceCodeStore.cs:line 208
   at Volo.Abp.Cli.ProjectBuilding.AbpIoSourceCodeStore.GetAsync(String name, String type, String version, String templateSource, Boolean includePreReleases) in D:\ci\Jenkins\workspace\abp-framework-release\abp\framework\src\Volo.Abp.Cli.Core\Volo\Abp\Cli\ProjectBuilding\AbpIoSourceCodeStore.cs:line 112
   at Volo.Abp.Cli.ProjectBuilding.TemplateProjectBuilder.BuildAsync(ProjectBuildArgs args) in D:\ci\Jenkins\workspace\abp-framework-release\abp\framework\src\Volo.Abp.Cli.Core\Volo\Abp\Cli\ProjectBuilding\TemplateProjectBuilder.cs:line 56
   at Volo.Abp.Cli.Commands.NewCommand.ExecuteAsync(CommandLineArgs commandLineArgs) in D:\ci\Jenkins\workspace\abp-framework-release\abp\framework\src\Volo.Abp.Cli.Core\Volo\Abp\Cli\Commands\NewCommand.cs:line 192
   at Volo.Abp.Cli.CliService.RunAsync(String[] args) in D:\ci\Jenkins\workspace\abp-framework-release\abp\framework\src\Volo.Abp.Cli.Core\Volo\Abp\Cli\CliService.cs:line 59

It turns out our firewall is blocking the download due to a high severity vulnerability in the file tui-editor-Editor-full.js called Apple Safari WebKit Selections Use-After-Free Vulnerability.

I have a few questions.

• Are you aware of this?
• Is there anything you can do to fix it?
• Is there anything we can do to work around it?

I have yet to find much information regarding this vulnerability, so any information you can provide would be appreciated.

Thanks!

Is there a way to generate a dependency graph of all AbpModules that appear in an DependsOn attributes throughout the solution?

For example, I can look at the direct dependencies of a particular module rather easily.

And I can drill down into any one of those modules as well.

But I was hoping there was a way to show the entire hierarchy of modules that are actually used in all the projects in a solution all at once.

Something like this would be nice.

Thanks.