Module : Security
Issue |
Type |
TrialGrid Version |
Description |
|---|---|---|---|
3664 |
Bug |
63 |
When using the APIs user accounts were not locked out after failed login attempts. This was corrected. |
3666 |
Bug |
63 |
Executable files could be uploaded to the file area and then hosted/served by the system if users chose to make them public. Executable files are now blocked from upload. |
3667 |
Bug |
63 |
In tickets, wiki pages and comments it was possible to introduce javascript execution via the onerror attribute of img tags. Event attributes such as onerror, onclick etc are now removed from html elements in user input. |
3648 |
Bug |
63 |
If the ALS Project Name for a Draft contained html content this would be displayed in the results for diagnostic 131 (which checks these names). This was a potential security risk and has been corrected. |
3649 |
Bug |
63 |
When two Draft objects are compared in the per-object difference dialog the Draft names are not escaped making the page vulnerable to XSS injection. |
3650 |
Bug |
63 |
When cloning a Draft, Draft names are not escaped making the page vulnerable to XSS injection. This has been corrected. |
3651 |
Bug |
63 |
When renaming a file, renamed file names are not escaped making the page vulnerable to XSS injection. This has been corrected. |
3654 |
Bug |
63 |
Task names are not escaped in the users historical task list making the page vulnerable to XSS injection. This has been corrected. |
3656 |
Feature |
63 |
When entering two-factor token values for TrialGrid login, failed attempts now increment the failed login count for the user and repeated failures will result in the user account being locked out. |
3657 |
Feature |
63 |
Response headers returned the name and version of the web server software, information which could help attackers craft attacks against known vulnerabilities. Headers now return "TGServer" which gives no information. |
3615 |
Bug |
61 |
When a user who has Single Sign On active but had an inactive account was invited to a new project they got an email which told them they would need to change their password. This was correct, the email no longer contains that text for these types of users. |
3552 |
Feature |
59 |
When a user tries to log in via SSO, if they do not have an active account or an active invite they cannot log in. If the user was invited with an email address (joe@example.com) that does not match the address provided by the SSO system (joseph@example.com) then they will not be able to log into the system. The error page shown now shows the email address provided by the SSO system to help users understand the issue. |
3551 |
Feature |
58 |
It is now possible to allow users to use password authentication even if the organization they belong to is linked to a Single Sign On provider. This can be set for a user by TrialGrid staff. |
3459 |
Bug |
56 |
When a user email address was not all lower case the system tried to create a new account when they are invited to a project. This caused duplicate inactive accounts and login problems. This was corrected. |
3418 |
Feature |
55 |
Single Sign On providers can now be set in TrialGrid to auto-redirect users to their Single Sign On provider once they have logged in for the first time. This setting can be configured by TrialGrid Ltd on request. |
3454 |
Feature |
55 |
Single Sign On providers can now pass a unique id to TrialGrid for a user and this value will be stored as the Unique Employee ID of the user. This is a step towards allowing Single Sign On providers to identify users with unique employee ids and update email / first name / last name automatically. This setting can be configured by TrialGrid Ltd on request. |
3402 |
Feature |
54 |
TrialGrid can now track unique employee identifiers. This can be important for Single Sign on and automated user provisioning. |
3348 |
Feature |
51 |
Some SSO configuration can now we overridden per customer Identity Provider. This allows custom configuration for SAML security settings by customer. |
3325 |
Feature |
50 |
When an organization is linked to a Single Sign On provider, invitations to new users now do not mention setting username and password and instead guide users to claim their invitation via login to their SSO system. |
3260 |
Bug |
48 |
The Test Case Run status view would not timeout after no activity by the user. This has been corrected. |
2822 |
Feature |
40 |
When an organization is linked to a Single Sign On provider, users cannot change their own passwords, this is the responsibility of the Single Sign on system. |
2823 |
Feature |
40 |
When an organization is linked to a Single Sign On provider, users cannot activate Two-factor authentication in the system. This is the responsibility of the Single Sign on provider. |
2825 |
Feature |
40 |
When an organization is linked to a Single Sign On provider, users cannot login via the normal login page. When they try they are offered a link to login via the Single Sign on provider. |
2826 |
Feature |
40 |
Once I have logged into the system via SSO, when I visit the login page again I see a link to the last SSO I used. |
2827 |
Feature |
40 |
When a user is linked to an SSO provider, I can log in to the system from the SSO portal (assuming I am logged into the SSO portal). |
2831 |
Feature |
40 |
When a user is linked to a Single Sign On provider they cannot request a password reset link from the "forgot password" page. |
2512 |
Feature |
32 |
When a new user is invited to TrialGrid, their Organization will be set to the Organization of the URL/Project to which they have been invited. |
1840 |
Feature |
31 |
HTML pages were reviewed and modified to prevent possible cross-site scripting (XSS) attacks. |
1848 |
Feature |
31 |
Users will receive an email when they sign in from a new location. |
2440 |
Feature |
31 |
The Forgot Password page confirmation message does not now contain the user email address. |
2441 |
Feature |
31 |
The Login page does not now display information about the number of failed attempts for a user account. |
2445 |
Feature |
31 |
TrialGrid administrators can set user accounts to require a password change before the user can log in again. |
1844 |
Feature |
30 |
Two-factor authentication is now available. See Two Factor Authentication. |
1532 |
Feature |
30 |
Files uploaded to TrialGrid are now scanned for viruses and malware. |
1841 |
Feature |
27 |
When setting a new password, TrialGrid now checks against the HaveIBeenPawned service. This check can be disabled on request. |
2341 |
Feature |
27 |
On request, TrialGrid can configure password complexity and expiry rules for an Organization in TrialGrid. |
2091 |
Feature |
23 |
Users can no longer change their email address from the user profile page. |
1839 |
Bug |
19 |
Security of the application was improved by removing the ability to inject javascript code into text fields of the application (e.g. Project and Draft names, Label names etc) |
1834 |
Feature |
19 |
The implementation of the permission system was simplified (i.e. who is allowed to see which URLs/Projects etc). Users should see no difference in functionality. All existing security tests were maintained. |
1843 |
Feature |
19 |
System error messages were updated to remove information which could be used by malicious actors. |
1842 |
Feature |
16 |
On login the system will not redirect the browser to a web page that is not part of the application. (e.g. /login?next=https://www.google.com) |
1827 |
Bug |
16 |
A security issue has been addressed. |
1784 |
Feature |
16 |
If TrialGrid encounters a Cross Site Request Forgery (CSRF) error it will display a warning and prompt the user to log in again. |
1502 |
Feature |
16 |
New contols have been added to TrialGrid to improve the security of web pages. No changes are visible to users. |
744 |
Feature |
6 |
To improve application security a 'Content Security Policy' HTTP header has been added. |
745 |
Feature |
6 |
To improve application security a 'Referrer Policy' HTTP header has been added. |
746 |
Feature |
6 |
To improve application security an 'Expect-CT' HTTP header has been added. |
622 |
Bug |
4 |
Some security policies were blocking application/ms-excel download of Drafts. As a result of this investigation the content type for downloading Drafts was changed to application/vnd.ms-excel which is the correct content type. |
625 |
Bug |
4 |
Resetting the users password through the forgot password functionality did not reset the failed login attempts count (potentially locking the user out indefinitely) this was fixed. |
436 |
Bug |
1 |
If a user had 2 failed login attempts they could no longer log in at all. This was fixed. |
416 |
Feature |
1 |
Keep records of when users login and logout. System now keeps a record of login, logout, last activity date/times and IP address on login. |
425 |
Feature |
1 |
If there have been invalid login attempts prior to a successful login, the user should be warned on successful login. |
2820 |
Feature |
1 |
If a user enters an invalid username or password the error message shown does not indicate whether the username is valid for security reasons. |
2821 |
Feature |
1 |
Users can be inactivated in the system by TrialGrid personnel. Users inactivated in this way will not be able to log in and will see a message informing them that they account is inactive/blocked. |
417 |
Feature |
1 |
Disable user account after a number of invalid password attempts. This is system configurable but currently set to 4 attempts. |
426 |
Feature |
1 |
After the user has made two unsuccessful login attempts, a warning should appear which shows how many attempts remain before the account becomes locked out and requires a password reset (using Forgot Password functionality) to unlock the account. |
354 |
Bug |
1 |
Password reset view was case sensitive on email address. This was corrected. |
355 |
Feature |
1 |
Allow users to log in with (username OR email address) AND password. Note that email address is not case sensitive. |
2819 |
Feature |
1 |
Username for login is no longer case-sensitive. |
327 |
Feature |
1 |
Password requirements should appear on screen and in help. |
356 |
Feature |
1 |
Documented password requirements (Added as Issue for validation documentation tracking reasons) |
359 |
Feature |
1 |
Prevent users from changing their email address to duplicate another user email |
168 |
Bug |
1 |
Leaving the password field blank on login caused a server error. This was corrected. |
3 |
Feature |
1 |
A user with team management permission for a Project is able to invite new or existing users to participate in the Project with a particular Role via an email invitation. |