Merge pull request #3509 from 2sic/develop

Release 18.04

Src/Data/App_Data/system/bundles/system-decorators.json

@@ -5360,7 +5360,7 @@
             },
             {
               "Id": 183819,
-              "Version": 3,
+              "Version": 4,
               "Guid": "46b375ba-3a11-4f04-8faf-33ef4ef5b29a",
               "Type": {
                 "Id": "772dfff1-b236-4aa9-8359-5f53c08ff7bf",
@@ -5369,7 +5369,7 @@
               "Attributes": {
                 "String": {
                   "Formula": {
-                    "en-us": "// if parameters has a forView then take that, otherwise default to false\nv2((data, context) => {\n  console.log('debug 2dm lightspeed', data.parameters, data);\n  return { \n    value: data.parameters.forView == 'true', // defaults to false\n    stop: true,\n  }\n});"
+                    "en-us": "// if parameters has a forView then take that, otherwise default to false\nv2((data, context) => {\n  return { \n    value: data.parameters.forView == 'true', // defaults to false\n    stop: true,\n  }\n});"
                   },
                   "Target": {
                     "en-us": "Field.Settings.Visible"

Src/Dnn/ToSic.Sxc.Dnn.Core/Dnn/Web/DnnJsApiService.cs

@@ -3,14 +3,15 @@
 using System.Text.RegularExpressions;
 using System.Web;
 using System.Web.Helpers;
+using ToSic.Eav.Security.Encryption;
 using ToSic.Lib.Services;
 using ToSic.Sxc.Context;
 using ToSic.Sxc.Web.Internal.JsContext;
 
 namespace ToSic.Sxc.Dnn.Web;
 
-internal class DnnJsApiService(JsApiCacheService jsApiCache)
-    : ServiceBase("DnnJsAPi", connect: [jsApiCache]), IJsApiService
+internal class DnnJsApiService(JsApiCacheService jsApiCache, RsaCryptographyService rsaCryptographyService)
+    : ServiceBase("DnnJsAPi", connect: [jsApiCache, rsaCryptographyService]), IJsApiService
 {
     public const string PortalIdParamName = "portalId";
 
@@ -23,6 +24,7 @@ public JsApi GetJsApi(int? pageId = null, string siteRoot = null, string rvt = n
         // pageId and siteRoot are provided only in very special case for EditUI in /DesktopModules/.../...aspx
 
         string SiteRootFn() => siteRoot ?? ServicesFramework.GetServiceFrameworkRoot();
+        string SecureEndpointPrimaryKeyFn() => rsaCryptographyService.PublicKey;
 
         return jsApiCache.JsApiJson(
             platform: PlatformType.Dnn.ToString(),
@@ -32,7 +34,8 @@ public JsApi GetJsApi(int? pageId = null, string siteRoot = null, string rvt = n
             appApiRoot: () => GetApiRoots(SiteRootFn()).AppApiRoot,
             uiRoot: () => VirtualPathUtility.ToAbsolute(DnnConstants.SysFolderRootVirtual),
             rvtHeader: DnnConstants.AntiForgeryTokenHeaderName,
-            rvt: AntiForgeryToken,
+            rvt: AntiForgeryToken, 
+            secureEndpointPublicKey: SecureEndpointPrimaryKeyFn,
             dialogQuery: $"{PortalIdParamName}={PortalSettings.Current.PortalId}"
         );
     }

Src/Dnn/ToSic.Sxc.Dnn.WebApi/Dnn/WebApi/Internal/SecureEndpoint/SecureEndpointAttribute.cs

@@ -0,0 +1,84 @@
+using System.IO;
+using System.Linq;
+using System.Net;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using System.Web.Http.Controllers;
+using System.Web.Http.Dependencies;
+using System.Web.Http.Filters;
+using ToSic.Eav.Security.Encryption;
+using ToSic.Eav.Serialization;
+
+namespace ToSic.Sxc.Dnn.WebApi.Internal.SecureEndpoint
+{
+    public class SecureEndpointAttribute(string mediaType = "application/json") : ActionFilterAttribute
+    {
+        public override void OnActionExecuting(HttpActionContext filterContext)
+        {
+            var request = filterContext.Request;
+
+            if (request.Method == HttpMethod.Post && request.Content.Headers.ContentType.MediaType == mediaType)
+            {
+                var encryptedDataJson = ReadEncryptedData(request);
+                if (string.IsNullOrEmpty(encryptedDataJson))
+                {
+                    filterContext.Response = request.CreateErrorResponse(HttpStatusCode.BadRequest, "Request content is empty.");
+                    return;
+                }
+
+                var encryptedData = JsonSerializer.Deserialize<EncryptedData>(encryptedDataJson, options: JsonOptions.SafeJsonForHtmlAttributes);
+                // "duck typing" check
+                if (encryptedData.Version == 1 && encryptedData.Data is null && encryptedData.Key is null && encryptedData.Iv is null) // 
+                    return;
+
+                // Determine the parameter name and type dynamically.
+                // Find parameter that has FromBody attribute on it,
+                // or param that is not a value type.
+                var parameter = filterContext.ActionDescriptor.GetParameters()
+                    .FirstOrDefault(p => p.GetCustomAttributes<FromBodyAttribute>().Any() || !p.ParameterType.IsValueType);
+                if (parameter == null)
+                {
+                    filterContext.Response = request.CreateErrorResponse(HttpStatusCode.BadRequest, "No parameter found for action.");
+                    return;
+                }
+
+                var decryptedData = Decrypt(filterContext.Request.GetDependencyScope(), encryptedData);
+
+                try
+                {
+                    // Validate that decrypted data is valid JSON
+                    var formData = JsonSerializer.Deserialize(decryptedData, parameter.ParameterType, options: JsonOptions.SafeJsonForHtmlAttributes);
+
+                    // Replace the request content with the deserialized object
+                    filterContext.ActionArguments[parameter.ParameterName] = formData;
+                    request.Content = new StreamContent(new MemoryStream(Encoding.UTF8.GetBytes(decryptedData)));
+                    request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
+                    //filterContext.Request.Content = new ObjectContent(parameter.ParameterType, formData, parameter.Configuration.Formatters.JsonFormatter);
+                }
+                catch (JsonException)
+                {
+                    // Handle invalid JSON format
+                    filterContext.Response = request.CreateErrorResponse(HttpStatusCode.BadRequest, "Invalid JSON format after decryption.");
+                    return;
+                }
+            }
+
+            base.OnActionExecuting(filterContext);
+        }
+
+        private static string ReadEncryptedData(HttpRequestMessage request)
+        {
+            var stream = request.Content.ReadAsStreamAsync().Result;
+            stream.Position = 0;
+            using var reader = new StreamReader(stream);
+            return reader.ReadToEnd();
+        }
+
+        private static string Decrypt(IDependencyScope dependencyScope, EncryptedData encryptedData)
+        {
+            var cryptoService = (AesHybridCryptographyService)dependencyScope.GetService(typeof(AesHybridCryptographyService));
+            return cryptoService.Decrypt(encryptedData);
+        }
+    }
+}

Src/Dnn/ToSic.Sxc.Dnn/DnnPackageBuilder/ReleaseNotes.txt

@@ -1,5 +1,5 @@
 <dl>
-    <dt>v18.03.00</dt>
+    <dt>v18.04.00</dt>
     <dd>Part of module installation is the deletion of unneeded data. In an infrequent case, You could get a 
     timeout exception. This is not a show-stopper. Simply reload the page so DNN can continue clean-up 
     until all unnecessary data is deleted and the module is installed.</dd>

Src/Dnn/ToSic.Sxc.Dnn/DnnPackageBuilder/ToSic.Sxc.Dnn.dnn

@@ -1,6 +1,6 @@
 <dotnetnuke type="Package" version="5.0">
   <packages>
-    <package name="2SexyContent" type="Module" version="18.03.00">
+    <package name="2SexyContent" type="Module" version="18.04.00">
       <friendlyName> Content</friendlyName>
       <description>2sxc is a DNN Extension to create attractive and designed content. It solves the common problem, allowing the web designer to create designed templates for different content elements, so that the user must only fill in fields and receive a perfectly designed and animated output.</description>
       <iconFile>icon.png</iconFile>
@@ -74,7 +74,7 @@
             <script type="UnInstall">
               <path>SqlDataProvider</path>
               <name>Uninstall.SqlDataProvider</name>
-              <version>18.03.00</version>
+              <version>18.04.00</version>
             </script>
           </scripts>
         </component>
@@ -125,7 +125,7 @@
               <businessControllerClass>ToSic.SexyContent.DnnBusinessController</businessControllerClass>
               <desktopModuleID>[DESKTOPMODULEID]</desktopModuleID>
               <!-- This must contain all versions which have upgrade-code. By convention, we also add the main entry versions, even if no upgrade code exists for them -->
-              <upgradeVersionsList>01.00.00,08.11.00,08.12.00,09.00.00,10.00.00,11.00.00,12.00.00,13.00.00,13.01.00,13.04.00,14.00.00,15.00.00,15.02.00,16.00.00,16.07.01,17.00.00,18.00.00,18.03.00</upgradeVersionsList>
+              <upgradeVersionsList>01.00.00,08.11.00,08.12.00,09.00.00,10.00.00,11.00.00,12.00.00,13.00.00,13.01.00,13.04.00,14.00.00,15.00.00,15.02.00,16.00.00,16.07.01,17.00.00,18.00.00,18.04.00</upgradeVersionsList>
             </attributes>
           </eventMessage>
         </component>
@@ -632,7 +632,7 @@
       </components>
     </package>
 
-    <package name="2SexyContent-App" type="Module" version="18.03.00">
+    <package name="2SexyContent-App" type="Module" version="18.04.00">
       <friendlyName> App</friendlyName>
       <description>2sxc App is an extension that allows to install and use a 2sxc app.</description>
       <iconFile>icon-app.png</iconFile>

Src/Dnn/ToSic.Sxc.Dnn/StartUp/StartupDnn.cs

@@ -58,7 +58,8 @@ public bool Configure()
         globalConfig.GlobalFolder = HostingEnvironment.MapPath(DnnConstants.SysFolderRootVirtual);
         globalConfig.AssetsVirtualUrl = DnnConstants.SysFolderRootVirtual + "assets/";
         globalConfig.SharedAppsFolder = "~/Portals/_default/" + AppConstants.AppsRootFolder + "/";
-        globalConfig.TempAssemblyFolder = HostingEnvironment.MapPath($"~/{Eav.Constants.AppDataProtectedFolder}/{Eav.Constants.TempAssemblyFolder}/");
+        globalConfig.TempAssemblyFolder = HostingEnvironment.MapPath($"~/{Eav.Constants.AppDataProtectedFolder}/{Eav.Constants.TempAssemblyFolder}/"); // ".../App_Data/2sxc.bin"
+        globalConfig.CryptoFolder = HostingEnvironment.MapPath($"~/{Eav.Constants.AppDataProtectedFolder}/{Eav.Constants.CryptoFolder}/");
 
         var sxcSysLoader = transientSp.Build<SystemLoader>();
         sxcSysLoader.StartUp();

Src/Oqtane/ToSic.Sxc.Oqt.Client/Content/ModuleInfo.cs

@@ -34,7 +34,7 @@ public class ModuleInfo : IModule
     /// The SQL versions must use a "-" to avoid being replaced on search/replace when releasing a new version.
     /// When SQL script is added in new version, include new version explicitly in this array.
     /// </summary>
-    internal static string[] SqlScriptVersions = ["0-0-1", "12-00-00", "12-02-01", "12-05-00", "13-00-00", "13-01-00", "15-00-00", "16-07-01", "18-02-01"];
+    internal static string[] SqlScriptVersions = ["0-0-1", "12-00-00", "12-02-01", "12-05-00", "13-00-00", "13-01-00", "15-00-00", "16-07-01", "18-03-00"];
 
     /// <summary>
     /// Merge versions for use in Oqtane version list

Src/Oqtane/ToSic.Sxc.Oqt.Package/ToSic.Sxc.Oqtane.Install.nuspec

@@ -2,7 +2,7 @@
 <package>
   <metadata>
     <id>ToSic.Sxc.Oqtane.Install</id>
-    <version>18.03.00</version>
+    <version>18.04.00</version>
     <authors>2sic internet solutions GmbH, Switzerland</authors>
     <owners>2sic internet solutions GmbH, Switzerland</owners>
     <title>2sxc CMS and Meta-Module for Oqtane</title>
@@ -57,6 +57,8 @@
     <file src="..\ToSic.Sxc.Oqt.Server\bin\Release\net8.0\Microsoft.CodeAnalysis.Razor.dll" target="lib\net8.0" />
     <!-- Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation transitive dependency -->
     <file src="..\ToSic.Sxc.Oqt.Server\bin\Release\net8.0\Microsoft.Extensions.DependencyModel.dll" target="lib\net8.0" />
+    <!-- ToSic.Sxc dependency -->
+    <file src="..\ToSic.Sxc.Oqt.Server\bin\Release\net8.0\System.Runtime.Caching.dll" target="lib\net8.0" />
 
     <!-- ToSic.Imageflow.Oqtane v1.11.0 -->
     <file src="..\..\packages\tosic.imageflow.oqtane\1.11.0\lib\net7.0\ToSic.Imageflow.Oqt.Server.Oqtane.dll" target="lib\net8.0" />

Src/Oqtane/ToSic.Sxc.Oqt.Server/Blocks/Output/OqtJsApiService.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Http;
 using ToSic.Eav.Plumbing;
+using ToSic.Eav.Security.Encryption;
 using ToSic.Lib.Services;
 using ToSic.Sxc.Context;
 using ToSic.Sxc.Oqt.Server.Plumbing;
@@ -14,8 +15,9 @@ internal class OqtJsApiService(
     IAntiforgery antiForgery,
     IHttpContextAccessor http,
     JsApiCacheService jsApiCache,
-    AliasResolver aliasResolver)
-    : ServiceBase("OqtJsApi", connect: [antiForgery, http, jsApiCache, aliasResolver]), IJsApiService
+    AliasResolver aliasResolver,
+    RsaCryptographyService rsaCryptographyService)
+    : ServiceBase("OqtJsApi", connect: [antiForgery, http, jsApiCache, aliasResolver, rsaCryptographyService]), IJsApiService
 {
     public string GetJsApiJson(int? pageId = null, string siteRoot = null, string rvt = null) 
         => JsApi.JsApiJson(GetJsApi(pageId, siteRoot, rvt));
@@ -31,12 +33,14 @@ public JsApi GetJsApi(int? pageId = null, string siteRoot = null, string rvt = n
             uiRoot: UiRootFn,
             rvtHeader: Oqtane.Shared.Constants.AntiForgeryTokenHeaderName,
             rvt: RvtFn,
+            secureEndpointPublicKey: SecureEndpointPrimaryKeyFn,
             dialogQuery: null);
 
         string SiteRootFn() => siteRoot.IsEmpty() ? OqtPageOutput.GetSiteRoot(aliasResolver.Alias) : siteRoot;
         string ApiRootFn() => SiteRootFn() + OqtWebApiConstants.ApiRootNoLanguage + "/";
         string UiRootFn() => OqtConstants.UiRoot + "/";
         string RvtFn() => rvt.IsEmpty() && http?.HttpContext != null ? antiForgery.GetAndStoreTokens(http.HttpContext).RequestToken : rvt;
+        string SecureEndpointPrimaryKeyFn() => rsaCryptographyService.PublicKey;
     }
 
 }

Src/Oqtane/ToSic.Sxc.Oqt.Server/StartUp/OqtStartup.cs

@@ -103,7 +103,8 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         globalConfig.InstructionsFolder = Path.Combine(env.ContentRootPath, "Content", "2sxc", "system", Eav.Constants.InstructionsFolder);
         globalConfig.AssetsVirtualUrl = $"~/Modules/{OqtConstants.PackageName}/assets/";
         globalConfig.SharedAppsFolder = $"/{OqtConstants.AppRoot}/{OqtConstants.SharedAppFolder}/"; // "/2sxc/Shared"
-        globalConfig.TempAssemblyFolder = Path.Combine(env.ContentRootPath, "App_Data", "2sxc.bin");
+        globalConfig.TempAssemblyFolder = Path.Combine(env.ContentRootPath, Eav.Constants.AppDataProtectedFolder, Eav.Constants.TempAssemblyFolder); // ".../App_Data/2sxc.bin"
+        globalConfig.CryptoFolder = Path.Combine(env.ContentRootPath, Eav.Constants.AppDataProtectedFolder, Eav.Constants.CryptoFolder);
 
         // ensure we have an instance
         var assemblyResolver = serviceProvider.Build<AssemblyResolver>();

Src/Oqtane/ToSic.Sxc.Oqt.Server/ToSic.Sxc.Oqt.Server.csproj

@@ -94,6 +94,7 @@
     <EmbeddedResource Include="Scripts\ToSic.Sxc.13.01.00.sql" />
     <EmbeddedResource Include="Scripts\ToSic.Sxc.15.00.00.sql" />
     <EmbeddedResource Include="Scripts\ToSic.Sxc.16.07.01.sql" />
+    <EmbeddedResource Include="Scripts\ToSic.Sxc.18.03.00.sql" />
     <EmbeddedResource Include="Scripts\ToSic.Sxc.Uninstall.sql" />
   </ItemGroup>
 
@@ -136,5 +137,4 @@
   <ItemGroup>
     <Folder Include="wwwroot\Modules\" />
   </ItemGroup>
-
 </Project>