Ends in:
7 DAYS
17 HRS
29 MIN
58 SEC
Ends in:
7 D
17 H
29 M
58 S

Activities of "LW"

  • ABP Framework version: 5.1.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Hello, we are deploying our project build on top of ABP to Azure. After the deployment, we found that some of the requests are blocked by the OWASP scanner in the Azure Application Gateway Firewall. The first block comes from the authentication call:

requestUri_s /connect/authorize?response_type=code\u0026client_id=OUR_APP_App\u0026state=UXB5Zmh6VWFST3BLVUZTbXVkdEt3dWpfdWF3dy56XzFFMDNyNURESlFRQnNi\u0026redirect_uri=https%3A%2F%2FOUR_APP-qa.lw.app\u0026scope=offline_access%20openid%20profile%20role%20email%20phone%20OUR_APP\u0026code_challenge=JG1J3rF5kFDd-kQNWu5Bi7ji-zOCKWuJ4b_zK0yADjA\u0026code_challenge_method=S256\u0026nonce=UXB5Zmh6VWFST3BLVUZTbXVkdEt3dWpfdWF3dy56XzFFMDNyNURESlFRQnNi\u0026culture=en\u0026ui-culture=en

Message Detects basic SQL authentication bypass attempts 3/3

ruleSetVersion_s 3.2

ruleGroup_s REQUEST-942-APPLICATION-ATTACK-SQLI

details_message_s Pattern match (?i:(?:["'](?:\\s*?(?:is\\s*?(?:[\\d.]+\\s*?\\W.*?[\"']|\d.+["']?\\w)|\\d\\s*?(?:--|#))|(?:\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+|\\|?[\\w-]{3,}[^\\w\\s.,]+)[\"']|[\%\u0026\u003c\u003e^=]+\d\s*?(?:between|like|x?or|and|div|=))|(?i:n?and|x?x?or|div|like|between|not|\|\||\\u0026\\u0026)\s+[\s\w+]+(?:sounds\s+like\s*?["'`]|regexp\s*?\(|[=\d]+x)|in\s*?\(+\s*?select)) at REQUEST_COOKIES.

details_data_s Matched Data: "uuid":" found within REQUEST_COOKIES:twk_uuid_6272619db0d10b6f3e709056: %7B%22uuid%22%3A%221.DECWNFunxcnpgYWrV82YSGHozzios3WMXMuV6utignc1kwKN9BEe3TVjnjGCKBM2TCtxVLGqUFfGNaX8VCZSQkz0Wb2xdIjkmk7pyyl343KA437h7YKdoYt6PKa2VEcY8hVOatTY%22%2C%22version%22%3A3%2C%22domain%22%3A%22lw.app%22%2C%22ts%22%3A1653031469585%7D

details_file_s REQUEST-942-APPLICATION-ATTACK-SQLI.conf

If we disable that rule, we encounter a couple of similar blocks where the pattern matching founds illegal characters in the request cookies: requestUri_s /api/app/***

Message SQL Comment Sequence Detected.

ruleSetVersion_s 3.2

ruleGroup_s REQUEST-942-APPLICATION-ATTACK-SQLI

details_message_s Pattern match (?:/\!?|\/|[';]--|--[\s\r\n\v\f]|--[^-]?-|[^\u0026-]#.?[\s\r\n\v\f]|;?\x00) at REQUEST_COOKIES.

details_data_s Matched Data: --F5xL1NDlpZthOfOfsLDkvkV1sMEefcR9Pd3u7i6Ap_m8rZALmz3YaT5tiyGccQvL1jexkpbFic8v_TNqzyp9Ke- found within REQUEST_COOKIES:XSRF-TOKEN: CfDJ8G_9tIpyArtNlo7jZliI7olinWNezAaJOZPmYgGvad_rNtd1Ia9uNi0eqRUNAs7--F5xL1NDlpZthOfOfsLDkvkV1sMEefcR9Pd3u7i6Ap_m8rZALmz3YaT5tiyGccQvL1jexkpbFic8v_TNqzyp9Ke-p2fz-iSA0WigEIeo13N67-TJ3LYX3rphCGyhx_zKSQ

details_file_s REQUEST-942-APPLICATION-ATTACK-SQLI.conf

I know this is only partially or not directly an ABP issue, but I'm looking for information if we can affect the token characters in some way in ABP. I suppose we cannot change the uuid- existence in the authorize call?

Hello, we are planning to use Azure AD as a third-party authentication provider. We have this enabled and working already. I just want to clarify for myself how to prevent users from logging into other tenants' environments. If the user manages to guess another tenant's name on the logging screen, how is it prevented that the user is not able to log in? Where the check should be that this user can only log into a certain tenant environment?

  • ABP Framework version: v5.1.0

  • UI type: Angular

  • DB provider: EF Core

  • Tiered (MVC) or Identity Server Separated (Angular): yes According to this advice https://support.abp.io/QA/Questions/2284/Concurrency-handling-clarification-question , we now implemented updating concurrency stamp in every update method. However, we now have a problem that the "conflict" return value is not handled correctly in our Angular app. Backend returns 409 as expected. We get an exception page instead of an error dialog telling the user about the error like it was shown in the linked answer. I assumed that of course there is a default handling for conflict type return code, but couldn't find it from the angular source code.

  • Steps to reproduce the issue:" Add concurrency stamp update to an entities update method in application service, then update the entity concurrently from Angular UI

Hello, I would very much like this clarified: https://docs.abp.io/en/abp/5.0/Concurrency-Check . Here it says that the concurrency stamp and check is managed by Abp: https://docs.abp.io/en/abp/latest/Entities#basicaggregateroot-class However, I now noticed that, at least in some Abp modules, the concurrency stamp is cycled via UI to update Dtos.

From this https://github.com/abpframework/abp/issues/3351 and from the docs I get the impression that the cycling is not needed but why is it implemented so at least in some modules here for example

My question is that should we always cycle the concurrency stamp through UI or in which cases we should do so.

  • ABP Framework version: 4.4.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no

We have a situation where we should attatch some extra information to our entites. For example: EntityX has some properties and in addition Tenant1 needs to see extra property "Xyx" and it's value in UI. Tenant2 also needs extra property for EntityX but with different name "Abc" and possibly different value type. These extra properties cannot be determined at build time. At our old solution we just had extra columns for some database tables and meaning of the value was taken care of in customer guidance. I'm looking for more elegant solution than that and was wondering if the Extra Properties -model could provide the solution?

Hello, As it says here https://docs.abp.io/en/abp/latest/Background-Workers-Quartz default Abp background jobs are executed "on top of each other" if they are long running and the job polling interval is shorter. Same job is executed multiple times. This occurs only when Quartz is used with background workers. As the documentation suggests, I added AbpQuartzBackgroundJobs dependency to fix this, but this did not help. Is is so that I cannot use the default background job abstractions in this case and have to use only Quartz's abstractions all the way?

Hello,
this https://docs.abp.io/en/abp/latest/Multi-Tenancy#imultitenant is not very clear on how should we do multitenancy in "Database per tenant" environment. If we know that we are not going to share our data accross tenants, can we disable multitenancy all together? If not, should only the aggregates be multitenant or entities under aggregates as well? This came up in a situation where we had both an aggregate and it's entity defined as IMultitenant but our logic only set the aggregate's tenant id in creation. This created a situation where aggregate's GetAsync, sub collection included, never populated the subcollection. Removin the IMultitenant defintion fron the entity fixed this. This got us thinkin do we still need to define aggregates and entities as multitenant if we know that tenant data will always be separated in tenant specific database?

  • ABP Framework version: 4.4.0

  • UI type: Angular

  • DB provider: EF Core

  • Tiered (MVC) or Identity Server Separated (Angular): yes

  • **Exception message and stack trace olo.Abp.AbpInitializationException : An error occurred during the initialize Volo.Abp.Modularity.OnApplicationInitializationModuleLifecycleContributor phase of the module Volo.Abp.Quartz.AbpQuartzModule, Volo.Abp.Quartz, Version=4.4.0.0, Culture=neutral, PublicKeyToken=null: An exception was thrown while activating λ:Quartz.IScheduler.. See the inner exception for details. ---- Autofac.Core.DependencyResolutionException : An exception was thrown while activating λ:Quartz.IScheduler. -------- Quartz.SchedulerException : Scheduler with name 'QuartzScheduler' already exists.

    Stack Trace: ModuleManager.InitializeModules(ApplicationInitializationContext context) AbpApplicationBase.InitializeModules() AbpApplicationWithExternalServiceProvider.Initialize(IServiceProvider serviceProvider) AbpIntegratedTest1.ctor() BackgroundProcessesTestBase1.ctor() SchedulerCreationFailingTestExample.ctor() ----- Inner Stack Trace ----- ActivatorErrorHandlingMiddleware.Execute(ResolveRequestContext context, Action1 next) <>c__DisplayClass14_0.<BuildPipeline>b__1(ResolveRequestContext ctxt) ResolvePipeline.Invoke(ResolveRequestContext ctxt) <42 more frames...> AsyncHelper.RunSync[TResult](Func1 func) <>c.<ConfigureServices>b__1_1(IServiceProvider serviceProvider) <>c__DisplayClass3_0.<Register>b__0(IComponentContext context, IEnumerable1 parameters) DelegateActivator.ActivateInstance(IComponentContext context, IEnumerable1 parameters) DelegateActivator.<ConfigurePipeline>b__2_0(ResolveRequestContext ctxt, Action1 next) DelegateMiddleware.Execute(ResolveRequestContext context, Action1 next) <>c__DisplayClass14_0.<BuildPipeline>b__1(ResolveRequestContext ctxt) DisposalTrackingMiddleware.Execute(ResolveRequestContext context, Action1 next) <>c__DisplayClass14_0.<BuildPipeline>b__1(ResolveRequestContext ctxt) ActivatorErrorHandlingMiddleware.Execute(ResolveRequestContext context, Action1 next)

  • **Steps to reproduce the issue:

I'm tring to unit test my Quarz background workers. Whenever I run multiple tests where I initialize a backround worker the tests fail because the IScheduler is already created with another test. My tests are integration tests since I need some registered services in my workers. I dosen't make a difference if I use a new scheduler for the actual scheduling in my tests like this:

	IScheduler scheduler = await GetNewScheduler();

    // Act
    ISchedulerListener listener = Substitute.For<ISchedulerListener>();
    scheduler.ListenerManager.AddSchedulerListener(listener);
    await worker.ScheduleJob.Invoke(scheduler);

My test module depend on a module that depends on AbpBackgroundWorkersQuartzModule and through that the Quartz gets initialized. It seems to me that AbpIntegratedTest initialization doesn't take into account that the Quartz cannot be initialized multiple times. I realize that this is possibly a Quarz problem but is there a some way to change the Quarz initialization so that IScheduler implementation will be initialized only once.

  • ABP Framework version: 4.4.0
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Autofac.Core.DependencyResolutionException: 'An exception was thrown while activating Volo.Abp.SettingManagement.EntityFrameworkCore.SettingManagementDbContext -> λ:Microsoft.EntityFrameworkCore.DbContextOptions`1[[Volo.Abp.SettingManagement.EntityFrameworkCore.SettingManagementDbContext, Volo.Abp.SettingManagement.EntityFrameworkCore, Version=4.4.0.0, Culture=neutral, PublicKeyToken=null]].'

ArgumentNullException: Value cannot be null. Arg_ParamName_Name (ConnectionString)

  • Steps to reproduce the issue:"

I created a new console application with the cli generator. After that I created a module that depends on the settings module. Apparently this brings a dependency to SettingManagementDbContext. My intend was to create a unit test module to test the module and I mimiced the Domain.test -project initilaziation from another application. However this time the initilization wants to use the real database instead of the in memory -database for SettingManagementDbContext.

What should I do in the test base initialization to make a generic module to use in memory-database?

  • ABP Framework version: 4.4.0
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

I Have two questions:

  1. I Created a background process console application to handle longer, scheduled calculations. In that application I defined calculation scheduling settings provider:
	public class TenantCalculationTimeSettingProvider : SettingDefinitionProvider
	{
		public override void Define(ISettingDefinitionContext context)
		{
			context.Add(
				new SettingDefinition("CalculationTimeCronConf"
				, "0 */1 * ? * *"
				, new LocalizableString(typeof(TenantCalculationTimeSettingProvider), "configuration for time scheduled calculation")
				,new LocalizableString(typeof(TenantCalculationTimeSettingProvider), "configuration for time scheduled calculation")
			));
		}
	}

I cannot get the Define-method to fire no matter what I try. I have added the dependency to AbpSettingsModule and tried to register the provider manually



   public override void ConfigureServices(ServiceConfigurationContext context)
		{
			Configure<AbpSettingOptions>(options =>
			{
				options.DefinitionProviders.Add<TenantCalculationTimeSettingProvider>();
			});
		}

If I add the same provider in my main web application it works. I'm I missing some dependency in my new application for the Define to work?

2 If I define the setting this way, is there an Angular component (In commersial package perhaps) that enables viewing and editing this setting?

Showing 11 to 20 of 24 entries
Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06