2021年8月27日 星期五

[研究]warning CS0618: 'PdfTextFind.Bounds' 已經過時: 'This property may be removed in the future, please use TextBounds instead.'

[研究]warning CS0618: 'PdfTextFind.Bounds' 已經過時: 'This property may be removed in the future, please use TextBounds instead.'

2021-08-26

今天 Visual Studio 2019 編譯某方案時,出現

warning CS0618: 'PdfTextFind.Bounds' 已經過時: 'This property may be removed in the future, please use TextBounds instead.'

似乎是 NuGet 升級 PdfTextFind 版本的關係。packages.conf 顯示目前為 FreeSpire.PDF 7.8.9

PdfTextFind Class
Assembly: Spire.Pdf (in Spire.Pdf.dll) Version: 6.2.6.0 (6.2.6.2020)
https://www.e-iceblue.com/api_documents/5e4e0b69721393-11731598/res/html/d337da17-db94-256c-1fe8-b08d2796720c.htm

官方網頁說明依然 6.2.60 版,依然是用 Bounds,沒有 TextBounds 用法。找了一下

 rec = find.Bounds;

要改成

rec = find.TextBounds[0];

(完)

[研究]您的瀏覽器已過期。改用Microsoft推薦的最新瀏覽器。切換至Microsoft Edge。

[研究]您的瀏覽器已過期。改用Microsoft推薦的最新瀏覽器。切換至Microsoft Edge。

2021-08-27

今天在Windows Server 2019用Internet Explorer ( IE11) 連上某網站,網頁下方出現提示「您的瀏覽器已過期。改用Microsoft推薦的最新瀏覽器。」,按下「立即切換」會跳出另一個 Edge 瀏覽器畫面 (但不是自動載入剛才 IE11 要連去的網站 ) (本電腦已經有安裝 Edge (chromium 核心))。

到另一台 Windows 10用Internet Explorer ( IE11) 連上另一網站,跳出「切換至Microsoft Edge」訊息,


微軟在催著大家換到 Microsoft Edge 去了。

(完)

2021年8月24日 星期二

2021年8月15日 星期日

[研究][ASP.NET][HTML5+JavaScript] Chart.js 2.9.3繪圖套件 試用

[研究][ASP.NET][HTML5+JavaScript] Chart.js 2.9.3繪圖套件 試用

2018-04-10

官方網站

官方網站目前提供到 3.5.0 版,但 NuGet 只到 2.9.3 版,檢視 NuGet 提供版本的描述中的官方網站,確定是同一家。







Chart.js · Chart.js documentation (含一個長條圖範例)
http://www.chartjs.org/docs/latest/

Getting Started · Chart.js documentation
https://www.chartjs.org/docs/latest/getting-started/

Chart.js samples (各種範例)
http://www.chartjs.org/samples/latest/

Chart.js - cdnjs.com - The best FOSS CDN for web related libraries to speed up your websites!
https://cdnjs.com/libraries/Chart.js

環境:
Visual Studio 2019 + WebForm + ASP.NET + WebApplication  + C# 

參考這篇範例
http://www.chartjs.org/docs/latest/


(下圖) 預設畫面非常大,調整瀏覽器寬度,高度會自動調整,可用 div 的 width 限制一下範圍。

Default.aspx

xxx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" 
Inherits="WebApplication1.Default" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title></title>
     <script type="text/javascript" src="Scripts/Chart.min.js"></script>
    
</head>
<body>
    <form id="form1" runat="server">
        <div id="aa" style="width:600px">
                <canvas id="myChart" width="400" height="400"></canvas>
        </div>
    </form>
    <script>
        var ctx = document.getElementById("myChart").getContext('2d');
        var myChart = new Chart(ctx, {
            type: 'bar',
            data: {
                labels: ["Red", "Blue", "Yellow", "Green", "Purple", "Orange"],
                datasets: [{
                    label: '# of Votes',
                    data: [12, 19, 3, 5, 2, 3],
                    backgroundColor: [
                        'rgba(255, 99, 132, 0.2)',
                        'rgba(54, 162, 235, 0.2)',
                        'rgba(255, 206, 86, 0.2)',
                        'rgba(75, 192, 192, 0.2)',
                        'rgba(153, 102, 255, 0.2)',
                        'rgba(255, 159, 64, 0.2)'
                    ],
                    borderColor: [
                        'rgba(255,99,132,1)',
                        'rgba(54, 162, 235, 1)',
                        'rgba(255, 206, 86, 1)',
                        'rgba(75, 192, 192, 1)',
                        'rgba(153, 102, 255, 1)',
                        'rgba(255, 159, 64, 1)'
                    ],
                    borderWidth: 1
                }]
            },
            options: {
                scales: {
                    yAxes: [{
                        ticks: {
                            beginAtZero: true
                        }
                    }]
                }
            }
        });
    </script>
</body>
</html>


(完)


[研究] ckeditor full, standard, basic 版的差別

[研究] ckeditor full, standard, basic 版的差別

2021-08-15

Visual Studio 2019 的 NuGet 安裝有 "ckeditor-full" , "ckeditor-standard" , "ckeditor-basic",差別是什麼? 查了一下

https://ckeditor.com/docs/ckeditor4/latest/examples/fullpreset.html


https://ckeditor.com/docs/ckeditor4/latest/examples/standardpreset.html

(完)

2021年8月14日 星期六

[研究]OpenOffice 4.1.10、LibreOffice 7.0.6 支援那些檔案格式 (副檔名)

[研究]OpenOffice 4.1.10、LibreOffice 7.0.6 支援那些檔案格式 (副檔名)

2021-08-14

Apache OpenOffice
https://www.openoffice.org/zh-tw/
Apache_OpenOffice_4.1.10_Win_x86_install_zh-TW.exe

LibreOffice
https://zh-tw.libreoffice.org/download/libreoffice-still/
LibreOffice_7.0.6_Win_x64.msi

LibreOffice 可以儲存成 Excel 的 .xlsx 檔案格式。












********************************************************************************





(完)

[研究]ASP.NET計算上傳檔案MD5值出現:'/'應用程式中發生伺服器錯誤。拒絕存取路徑

[研究]ASP.NET計算上傳檔案MD5值出現:'/'應用程式中發生伺服器錯誤。拒絕存取路徑

2021-08-14

Windows Server 2019 + Visual Studio 2019 + IIS + ASP.NET + WebForm + Web Application

程式是 deploy 後執行,不是 Visual Studio 2019 中執行。

有點怪,應該 IIS_IUSRS 有「讀取」權限應該夠才對,最後給「完全控制」才正常運作,沒空細究,先筆記一下。



(完)

2021年8月13日 星期五

[研究][ASP.NET]GridView中HyperLinkField用法範例

[研究][ASP.NET]GridView中HyperLinkField用法範例

2021-08-10

Visual Studio 2019 + ASP.NET + C# + WebForm + Web Application

筆記一下。


<asp:GridView ID="GridView1" runat="server" AllowPaging="True" AllowSorting="True"
    Caption="檔案、圖片列表" EmptyDataText="無檔案"
    AutoGenerateColumns="False" DataKeyNames="seq" DataSourceID="SqlDataSource1">
    <Columns>
        <asp:CommandField ShowDeleteButton="True" ShowEditButton="True" />
        <asp:BoundField DataField="FileName" HeaderText="FileName" SortExpression="FileName" />
        <asp:HyperLinkField DataTextField="FileName" HeaderText="FileName2" 
		DataNavigateUrlFields="SubDir, FileName" Target="_blank" 
		DataNavigateUrlFormatString="../UploadFile/{0}/{1}" Text="{1}" />
    </Columns>
</asp:GridView>

把 HyperLinkField 做「將這個欄位轉換為 TemplateField」,感覺有點奇怪,DataNavigateUrlFields 有2個參數,轉換 NavigateUrl 後剩下一個 SubDir,測試一下。


<asp:TemplateField HeaderText="FileName3">
    <ItemTemplate>
        <asp:HyperLink ID="HyperLink1" runat="server" 
		    NavigateUrl='<%# Eval("SubDir", "/{0}/{1}") %>' 
			Target="_blank" Text='<%# Eval("FileName") %>'>
			</asp:HyperLink>
    </ItemTemplate>
</asp:TemplateField>

deploy 後執行會出錯【索引 (以零為起始) 必須大於或等於零,並且小於引數清單的大小。

檢查一下,沒轉換前的寫法,執行正確;轉換後則不行執行。

再改一下

<asp:TemplateField HeaderText="FileName4">
    <ItemTemplate>
        <asp:HyperLink ID="HyperLink2" runat="server" 
		NavigateUrl='<%# String.Format((string)ConfigurationManager.AppSettings["WebSiteURL"] + @"{0}/{1}",Eval("SubDir"), Eval("FileName")) %>' 
		Target="_blank" Text='<%# Eval("FileName") %>'></asp:HyperLink>
    </ItemTemplate>
</asp:TemplateField>


********************************************************************************

微軟官方範例

HyperLinkField 類別 (System.Web.UI.WebControls) | Microsoft Docs
https://docs.microsoft.com/zh-tw/dotnet/api/system.web.ui.webcontrols.hyperlinkfield?view=netframework-4.8


<asp:hyperlinkfield text="Details..." navigateurl="~\details.aspx" 
    headertext="Order Details"   target="_blank" />



<asp:hyperlinkfield datatextfield="UnitPrice"
    datatextformatstring="{0:c}"
    datanavigateurlfields="ProductID"
    datanavigateurlformatstring="~\details.aspx?ProductID={0}"          
    headertext="Price" target="_blank" />

(完)

相關 

HyperLinkField.DataNavigateUrlFields 屬性 (System.Web.UI.WebControls) | Microsoft Docs
https://docs.microsoft.com/zh-tw/dotnet/api/system.web.ui.webcontrols.hyperlinkfield.datanavigateurlfields?view=netframework-4.8

HyperLinkField.DataNavigateUrlFormatString 屬性 (System.Web.UI.WebControls) | Microsoft Docs
https://docs.microsoft.com/zh-tw/dotnet/api/system.web.ui.webcontrols.hyperlinkfield.datanavigateurlformatstring?view=netframework-4.8


[研究]檔案總管顯示圖片尺寸、照片尺寸

[研究]檔案總管顯示圖片尺寸、照片尺寸

2021-08-13

環境:Windows 10




(完)

2021年8月11日 星期三

[研究] OWASP Dependency Check 6.2.2 元件依賴關係檢查工具

[研究] OWASP Dependency Check 6.2.2 元件依賴關係檢查工具

2021-08-11

OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check

官方簡報
http://jeremylong.github.io/DependencyCheck/general/dependency-check.pptx

Dependency Check 是一種「軟件組成分析工具」 (Software Composition Analysis,SCA) ,它會檢查軟體組成,以及可能漏洞。它使用「通用平台枚舉」(Common Platform Enumeration,CPE)取得軟體組成相關資訊。如果找到,它將產生一個報告,提供「常見漏洞和披露」 Common Vulnerability and Exposure,CVE) 超連結。

OWASP Top 10 2013 有一項目:A9-使用具有已知漏洞的組件 (A9-Using Components with Known Vulnerabilities)。Dependency Check 可做此檢查。

注意,結果有可能誤判,此程式對  Java 程式比 .NET 程式合用,對 .NET程式可能誤判。

執行需要 Java JRE,否則不能執行。

Microsoft Windows [版本 10.0.19043.1110]
(c) Microsoft Corporation. 著作權所有,並保留一切權利。

C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"
'java' 不是內部或外部命令、可執行的程式或批次檔。

C:\>

敝人安裝 ( JAVA_HOME 可以不用勾選,預設也沒勾)

OpenJDK11U-jre_x64_windows_hotspot_11.0.11_9.msi


C:\>C:\dependency-check\bin\dependency-check.bat --v   
Dependency-Check Core version 6.2.2

C:\>

用法

注意 Dependency Check 使用線上資料庫,所以必須連上 Internet 才行。

dependency-check.bat --project "'方案/專案名稱" --scan "bin目錄"  --out  "輸出檔案 or 輸出檔案目錄"


掃描 .NET 方案,另外要安裝 .NET Core 3.1 SDK 
( 只安裝 .NET Core Runtime 3.1 不行,另外 .NET 5.0 和 .NET Framework 4.8 是另外的東西)

敝人掃描 使用 .NET Framework 4.8 的 WebForm  WebApplication 方案,
虛擬機 Windows 10 每次測試都還原快照,
實驗1:.NET Framework 4.8 Runtime 失敗 
實驗2:.NET Framework 4.8 Dev Pack 失敗
實驗3:.NET Core 3.1 Runtime 失敗
實驗4:.NET Core 3.1 SDK 成功

沒安裝 .NET Core 3.1 SDK  會有下面畫面


C:\>C:\dependency-check\bin\dependency-check.bat --project "WebApplication1" --scan
   "C:\Code\WebApplication1\WebApplication1\bin" --out "C:\Temp"
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (250 ms)
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party 
dependencies; false positives and false negatives may exist in the analysis performed by 
the tool. Use of the tool and the reporting provided constitutes acceptance for use in 
an AS IS condition, and there are NO warranties, implied or otherwise, with regard to 
the analysis or its use. Any use of the tool and the reporting provided is at the user’s 
risk. In no event shall the copyright holder or OWASP be held liable for any damages 
whatsoever arising out of or in connection with the use of this tool, the analysis 
performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

? Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was 
scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly 
Analyzer or add the path to dotnet core in the configuration.
[ERROR] ----------------------------------------------------
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished CPE Analyzer (3 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] Unable to determine Package-URL identifiers for 41 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (3 seconds)
[INFO] Writing report to: C:\Temp\dependency-check-report.html

C:\>


成功掃描結果如下:

C:\>cd C:\dependency-check\bin

C:\dependency-check\bin>dependency-check.bat --project "WebApplication1" --scan
   "C:\WebApplication1\WebApplication1\bin" --out "C:\Temp"
[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2003
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - 2003  (1637 ms)
[INFO] Download Started for NVD CVE - 2004
[INFO] Processing Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2002  (2234 ms)
[INFO] Download Started for NVD CVE - 2005
[INFO] Processing Started for NVD CVE - 2002
[INFO] Processing Complete for NVD CVE - 2003  (1673 ms)
[INFO] Processing Complete for NVD CVE - 2002  (3447 ms)
[INFO] Download Complete for NVD CVE - 2004  (5371 ms)
[INFO] Download Started for NVD CVE - 2006
[INFO] Processing Started for NVD CVE - 2004
[INFO] Processing Complete for NVD CVE - 2004  (2557 ms)
[INFO] Download Complete for NVD CVE - 2005  (13303 ms)
[INFO] Download Started for NVD CVE - 2007
[INFO] Processing Started for NVD CVE - 2005
[INFO] Download Complete for NVD CVE - 2006  (9562 ms)
[INFO] Download Started for NVD CVE - 2008
[INFO] Processing Started for NVD CVE - 2006
[INFO] Download Complete for NVD CVE - 2007  (2447 ms)
[INFO] Download Started for NVD CVE - 2009
[INFO] Processing Started for NVD CVE - 2007
[INFO] Processing Complete for NVD CVE - 2005  (5133 ms)
[INFO] Download Complete for NVD CVE - 2009  (3252 ms)
[INFO] Download Started for NVD CVE - 2010
[INFO] Processing Started for NVD CVE - 2009
[INFO] Download Complete for NVD CVE - 2008  (7546 ms)
[INFO] Download Started for NVD CVE - 2011
[INFO] Processing Started for NVD CVE - 2008
[INFO] Download Complete for NVD CVE - 2010  (2988 ms)
[INFO] Download Started for NVD CVE - 2012
[INFO] Processing Started for NVD CVE - 2010
[INFO] Processing Complete for NVD CVE - 2006  (9601 ms)
[INFO] Download Complete for NVD CVE - 2012  (2472 ms)
[INFO] Download Started for NVD CVE - 2013
[INFO] Processing Started for NVD CVE - 2012
[INFO] Download Complete for NVD CVE - 2011  (3095 ms)
[INFO] Download Started for NVD CVE - 2014
[INFO] Processing Started for NVD CVE - 2011
[INFO] Processing Complete for NVD CVE - 2007  (10145 ms)
[INFO] Download Complete for NVD CVE - 2013  (2599 ms)
[INFO] Download Started for NVD CVE - 2015
[INFO] Processing Started for NVD CVE - 2013
[INFO] Download Complete for NVD CVE - 2014  (2599 ms)
[INFO] Download Started for NVD CVE - 2016
[INFO] Processing Started for NVD CVE - 2014
[INFO] Download Complete for NVD CVE - 2015  (2683 ms)
[INFO] Processing Started for NVD CVE - 2015
[INFO] Download Started for NVD CVE - 2017
[INFO] Download Complete for NVD CVE - 2016  (3402 ms)
[INFO] Processing Started for NVD CVE - 2016
[INFO] Download Started for NVD CVE - 2018
[INFO] Download Complete for NVD CVE - 2017  (4516 ms)
[INFO] Processing Started for NVD CVE - 2017
[INFO] Download Started for NVD CVE - 2019
[INFO] Download Complete for NVD CVE - 2018  (4226 ms)
[INFO] Processing Started for NVD CVE - 2018
[INFO] Download Started for NVD CVE - 2020
[INFO] Download Complete for NVD CVE - 2019  (3122 ms)
[INFO] Processing Started for NVD CVE - 2019
[INFO] Download Started for NVD CVE - 2021
[INFO] Processing Complete for NVD CVE - 2009  (25004 ms)
[INFO] Download Complete for NVD CVE - 2020  (18381 ms)
[INFO] Processing Started for NVD CVE - 2020
[INFO] Processing Complete for NVD CVE - 2008  (33324 ms)
[INFO] Download Complete for NVD CVE - 2021  (19030 ms)
[INFO] Processing Started for NVD CVE - 2021
[INFO] Processing Complete for NVD CVE - 2010  (37242 ms)
[INFO] Processing Complete for NVD CVE - 2015  (41766 ms)
[INFO] Processing Complete for NVD CVE - 2011  (48061 ms)
[INFO] Processing Complete for NVD CVE - 2014  (46927 ms)
[INFO] Processing Complete for NVD CVE - 2016  (47451 ms)
[INFO] Processing Complete for NVD CVE - 2012  (54617 ms)
[INFO] Processing Complete for NVD CVE - 2021  (23563 ms)
[INFO] Processing Complete for NVD CVE - 2019  (45071 ms)
[INFO] Processing Complete for NVD CVE - 2018  (47689 ms)
[INFO] Processing Complete for NVD CVE - 2013  (55981 ms)
[INFO] Processing Complete for NVD CVE - 2017  (49491 ms)
[INFO] Processing Complete for NVD CVE - 2020  (32336 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (2267 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - Modified  (1786 ms)
[INFO] Begin database maintenance
[INFO] Updated the CPE ecosystem on 117835 NVD records
[INFO] Removed the CPE ecosystem on 3827 NVD records
[INFO] End database maintenance (31425 ms)
[INFO] Begin database defrag
[INFO] End database defrag (4704 ms)
[INFO] Check for updates complete (147407 ms)
[INFO]

Dependency-Check is an open source tool performing a best effort analysis of 3rd party 
dependencies; false positives and false negatives may exist in the analysis performed 
by the tool. Use of the tool and the reporting provided constitutes acceptance for
 use in an AS IS condition, and there are NO warranties, implied or otherwise, with 
regard to the analysis or its use. Any use of the tool and the reporting provided is 
at the user’s risk. In no event shall the copyright holder or OWASP be held liable for
 any damages whatsoever arising out of or in connection with the use of this tool, 
the analysis performed, or the resulting report.


   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html

? Sponsor: https://github.com/sponsors/jeremylong


[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Assembly Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (1 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (4 seconds)
[INFO] Writing report to: C:\Temnp\dependency-check-report.html

C:\TEMP\dependency-check\bin>


掃描 Java 專案,可能也另外要安裝 Java SDK 。(敝人沒測)

另外,明明是 .NET Framework 4.8 的方案,結果仍需要 .NET Core 3.1 SDK 才能分析,也不需要 .NET Framework 4.8 SDK ( Dev Pack ),結果有點令人懷疑 (有空再研究)。

(完)

相關

[研究] OWASP Dependency Check 4.0.0 元件依賴關係檢查
http://shaurong.blogspot.com/2018/12/owasp-dependency-check-400.html

[研究][Gitea + Jenkins + Fortify SCA]此專案參考這部電腦上所缺少的 NuGet 套件。請啟用 NuGet 套件還原

[研究][Gitea + Jenkins + Fortify SCA]此專案參考這部電腦上所缺少的 NuGet 套件。請啟用 NuGet 套件還原

2021-08-10

簽入程式碼到 Git Server ( Gitea ),觸發 Jenkins 叫  Micro Focus Fortify SCA ( Static Code Analyzer ) 做原始碼安全性掃描 ( 源碼掃描 ),結果出現錯誤,JenKins 的 Console 畫面如下:

********************************************************************************

由遠端主機 [0:0:0:0:0:0:0:1] 啟動

Running as SYSTEM

建置中 工作區 D:\Jenkins\workspace\MyWebApplicationJob

The recommended git tool is: NONE

using credential 6f061234-4d34-12fd-8d77-210523486289

Cloning the remote Git repository

Cloning repository http://192.168.128.100:3000/MyRepos/MyWebApplicationRepo.git

 > C:\Program Files\Git\cmd\git.exe init D:\Jenkins\workspace\MyWebApplicationJob # timeout=10

Fetching upstream changes from http://192.168.128.100:3000/MyRepos/MyWebApplicationRepo.git

 > C:\Program Files\Git\cmd\git.exe --version # timeout=10

 > git --version # 'git version 2.31.1.windows.1'

using GIT_ASKPASS to set credentials 

 > C:\Program Files\Git\cmd\git.exe fetch --tags --force --progress -- http://192.168.128.100:3000/MyRepos/MyWebApplicationRepo.git +refs/heads/*:refs/remotes/origin/* # timeout=10

 > C:\Program Files\Git\cmd\git.exe config remote.origin.url http://192.168.128.100:3000/MyRepos/MyWebApplicationRepo.git # timeout=10

 > C:\Program Files\Git\cmd\git.exe config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10

Avoid second fetch

 > C:\Program Files\Git\cmd\git.exe rev-parse "refs/remotes/origin/master^{commit}" # timeout=10

Checking out Revision c3d6b6ca3baebf2b48c1888cb056d9395746aeff (refs/remotes/origin/master)

 > C:\Program Files\Git\cmd\git.exe config core.sparsecheckout # timeout=10

 > C:\Program Files\Git\cmd\git.exe checkout -f c3d6b6ca3baebf2b48c1888cb056d9395746aeff # timeout=10

Commit message: "test"

First time build. Skipping changelog.

No emails were triggered.

[MyWebApplicationJob] $ cmd /c call C:\Users\ADMINI~1\AppData\Local\Temp\jenkins323591801080432531.bat


D:\Jenkins\workspace\MyWebApplicationJob>D:\BuildTool\nuget.exe restore .\MyWebApplication\MyWebApplication.sln 

MSBuild auto-detection: using msbuild version '16.10.2.30804' from 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin'.

Restoring NuGet package ckeditor-full.4.16.1.

Restoring NuGet package MailKit.2.14.0.

Restoring NuGet package elmah.corelibrary.1.2.2.

Restoring NuGet package jQuery.3.6.0.

Restoring NuGet package Antlr.3.5.0.2.

Restoring NuGet package jQuery.UI.Combined.1.12.1.

Restoring NuGet package EntityFramework.6.4.4.

Restoring NuGet package elmah.1.2.2.

Adding package 'Antlr.3.5.0.2' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'ckeditor-full.4.16.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'elmah.1.2.2' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'jQuery.UI.Combined.1.12.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'jQuery.3.6.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'elmah.corelibrary.1.2.2' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'MailKit.2.14.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'EntityFramework.6.4.4' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'elmah.corelibrary.1.2.2' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'elmah.1.2.2' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.AspNet.Identity.EntityFramework.2.2.3.

Restoring NuGet package Microsoft.AspNet.Identity.Core.2.2.3.

Added package 'Antlr.3.5.0.2' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.AspNet.Identity.EntityFramework.zh-Hant.2.2.3.

Adding package 'Microsoft.AspNet.Identity.Core.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'Microsoft.AspNet.Identity.EntityFramework.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'Microsoft.AspNet.Identity.EntityFramework.zh-Hant.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.AspNet.Identity.EntityFramework.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.AspNet.Identity.Owin.2.2.3.

Added package 'Microsoft.AspNet.Identity.EntityFramework.zh-Hant.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.AspNet.Web.Optimization.1.1.3.

Adding package 'Microsoft.AspNet.Identity.Owin.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.AspNet.Identity.Core.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.Owin.4.2.0.

Added package 'jQuery.UI.Combined.1.12.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.Owin.Host.SystemWeb.4.2.0.

Adding package 'Microsoft.AspNet.Web.Optimization.1.1.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.AspNet.Identity.Owin.2.2.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.Owin.Security.4.2.0.

Added package 'jQuery.3.6.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.Owin.Security.Cookies.4.2.0.

Adding package 'Microsoft.Owin.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'Microsoft.Owin.Host.SystemWeb.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.AspNet.Web.Optimization.1.1.3' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.Owin.Security.OAuth.4.2.0.

Adding package 'Microsoft.Owin.Security.Cookies.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'Microsoft.Owin.Security.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'Microsoft.Owin.Security.OAuth.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.Owin.Security.Cookies.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Microsoft.Web.Infrastructure.1.0.0.

Added package 'Microsoft.Owin.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package MimeKit.2.14.0.

Adding package 'MimeKit.2.14.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.Owin.Host.SystemWeb.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Newtonsoft.Json.13.0.1.

Adding package 'Microsoft.Web.Infrastructure.1.0.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.Owin.Security.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Owin.1.0.0.

Adding package 'Newtonsoft.Json.13.0.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'Owin.1.0.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.Web.Infrastructure.1.0.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package Portable.BouncyCastle.1.8.10.

Added package 'Owin.1.0.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package System.Buffers.4.5.1.

Adding package 'System.Buffers.4.5.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Adding package 'Portable.BouncyCastle.1.8.10' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Microsoft.Owin.Security.OAuth.4.2.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Restoring NuGet package WebGrease.1.6.0.

Adding package 'WebGrease.1.6.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'System.Buffers.4.5.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'MimeKit.2.14.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'WebGrease.1.6.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Portable.BouncyCastle.1.8.10' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'ckeditor-full.4.16.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'Newtonsoft.Json.13.0.1' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'MailKit.2.14.0' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'

Added package 'EntityFramework.6.4.4' to folder 'D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages'


NuGet Config files used:

    C:\Users\Administrator\AppData\Roaming\NuGet\NuGet.Config

    C:\Program Files (x86)\NuGet\Config\Microsoft.VisualStudio.Offline.config


Feeds used:

    C:\Users\Administrator\.nuget\packages\

    https://api.nuget.org/v3/index.json

    C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\


Installed:

    25 package(s) to packages.config projects


D:\Jenkins\workspace\MyWebApplicationJob>exit 0 

Path To MSBuild.exe: C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\amd64\msbuild.exe

Executing the command cmd.exe /C " "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\amd64\msbuild.exe" .\MyWebApplication\MyWebApplication.sln " && exit %%ERRORLEVEL%% from D:\Jenkins\workspace\MyWebApplicationJob

[MyWebApplicationJob] $ cmd.exe /C " "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\amd64\msbuild.exe" .\MyWebApplication\MyWebApplication.sln " && exit %%ERRORLEVEL%%

Microsoft (R) Build Engine for .NET Framework 16.10.2+857e5a733 版

Copyright (C) Microsoft Corporation. 著作權所有,並保留一切權利。


在此解決方案中一次建置一個專案。若要啟用平行建置,請新增 "-m" 參數。

已經開始建置於 2021/8/10 下午 9:07:12。

節點 1 (預設目標) 上的專案 "D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication.sln"。

ValidateSolutionConfiguration:

  建置方案組態 "Debug|Any CPU"。

專案 "D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication.sln" (1) 正在節點 1 (預設目標) 上建置 "D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication\MyWebApplication.csproj" (2)。

D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication\MyWebApplication.csproj(1163,5): error : 此專案參考這部電腦上所缺少的 NuGet 套件。請啟用 NuGet 套件還原,以下載該套件。如需詳細資訊,請參閱 http://go.microsoft.com/fwlink/?LinkID=322105缺少的檔案是 ..\packages\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1\build\net46\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.props。

_CleanRecordFileWrites:

  正在建立目錄 "obj\Debug\"。

專案 "D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication\MyWebApplication.csproj" (預設目標) 建置完成 -- 失敗。

專案 "D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication.sln" (預設目標) 建置完成 -- 失敗。


建置失敗。


"D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication.sln" (預設目標) (1) ->

"D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication\MyWebApplication.csproj" (預設目標) (2) ->

(EnsureNuGetPackageBuildImports 目標) -> 

  D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\MyWebApplication\MyWebApplication.csproj(1163,5): error : 此專案參考這部電腦上所缺少的 NuGet 套件。請啟用 NuGet 套件還原,以下載該套件。如需詳細資訊,請參閱 http://go.microsoft.com/fwlink/?LinkID=322105。缺少的檔案是 ..\packages\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1\build\net46\Microsoft.CodeDom.Providers.DotNetCompilerPlatform.props。


    0 個警告

    1 個錯誤


經過時間 00:00:00.84

Build step 'Build a Visual Studio project or solution using MSBuild' marked build as failure

Sending e-mails to: (略)@(略).(略).tw

No emails were triggered.

Finished: FAILURE

********************************************************************************

解決:

對套件還原錯誤進行疑難排解
http://go.microsoft.com/fwlink/?LinkID=322105
https://docs.microsoft.com/zh-tw/nuget/Consume-Packages/Package-restore-troubleshooting

先不管上面參考資訊,直接看 MyWebApplication 方案的 packages.config 中,並沒有 Microsoft.CodeDom.Providers.DotNetCompilerPlatform,而且 NuGet 提供到 3.6.0 版

NuGet Gallery | Microsoft.CodeDom.Providers.DotNetCompilerPlatform 3.6.0
https://www.nuget.org/packages/Microsoft.CodeDom.Providers.DotNetCompilerPlatform/

就安裝 3.6.0 吧,再簽入一次,結果還是說缺 Microsoft.CodeDom.Providers.DotNetCompilerPlatform 2.0.1 版,拿 Visual Studio 2019 隨便新建一個 WebFrom WebApplication 方案,把 packages 目錄下的 Microsoft.CodeDom.Providers.DotNetCompilerPlatform.2.0.1 整個複製到 Gitea + Jenkins + Fortify SCA Server 上 D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages 目錄,手動執行 Jenkins 的「馬上建置」,結果說缺另一個套件。

其他幾個方案都沒有在喊缺套件,順利建置,這個特別搗蛋。

比對了一下,Jenkins 自動抓下的只有二十幾個套件,但未簽入的有六十幾個,乾脆把 MyWebApplication 方案的整個 packages 目錄內容,拷貝到 Server 上 D:\Jenkins\workspace\MyWebApplicationJob\MyWebApplication\packages 目錄中,手動執行 Jenkins 的「馬上建置」,這次順利跑完。

此文做個紀錄,解決方法僅供參考,不保證是最正確、最好的解決方法。

(完)

相關

[研究]Jenkins作業(Job)組態的Dependency-Track(DT)設定
https://shaurong.blogspot.com/2022/09/jenkinsjobdependency-trackdt.html

[研究]Git上傳、Jenkins自動編譯、發佈 ASP.NET WebForms方案/專案到目的網站根目錄
https://shaurong.blogspot.com/2022/09/gitjenkins-aspnet-webforms.html

[研究][ASP.NET]MSBuild 17.3.1 語法參數說明
https://shaurong.blogspot.com/2022/09/aspnetmsbuild-1731.html

[研究][BAT]從Jenkins拷貝 Fortify SCA 報告
https://shaurong.blogspot.com/2022/03/batjenkins-fortify-sca.html

[研究]Jenkins 找不到 .NET SDK 'Microsoft.NET.Sdk.Web'
https://shaurong.blogspot.com/2022/02/jenkins-net-sdk-microsoftnetsdkweb.html

[研究]Jenkins : error MSB4100 條件 必須評估為布林值
https://shaurong.blogspot.com/2022/02/jenkins-error-msb4100.html

[研究]Jenkins + Fortify SCA,因 Visual Studio 2019 升級 2022,變更 MSBuild 目錄
https://shaurong.blogspot.com/2022/01/jenkins-fortify-sca-visual-studio-2019.html

[研究]疑似 Fortify SCA 或 Jenkins 產生的殘檔
https://shaurong.blogspot.com/2021/11/fortify-sca-jenkins.html

[研究][Gitea + Jenkins + Fortify SCA]此專案參考這部電腦上所缺少的 NuGet 套件。請啟用 NuGet 套件還原
https://shaurong.blogspot.com/2021/08/gitea-jenkins-fortify-sca-nuget-nuget.html

[研究] OWASP Dependency-Track 4.2.2 第三方元件安全管理安裝 (Ubuntu 20.04.2 LTS x64)
https://shaurong.blogspot.com/2021/07/owasp-dependency-track-422-ubuntu-20042.html

[研究]Jenkins 2.289.2-1.1 stable 安裝(CentOS 8.4 x64)
https://shaurong.blogspot.com/2021/07/jenkins-22892-11-stable-centos-84-x64.html

[研究] Jenkins 建置失敗
https://shaurong.blogspot.com/2021/04/jenkins.html

[研究] Jenkins 2.190.3 舊主機搬移到新主機(Win2019)
https://shaurong.blogspot.com/2019/12/jenkins-21903-win2019.html

[研究] Jenkins 2.121.1 LTS + JDK 8 + Maven 3.5.3 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jenkins-21211-lts-jdk-maven-windows-2016.html

[研究] Jenkins 2.121.1 LTS + JDK 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jenkins-21211-lts-jdk-windows-2016.html

[研究] Jenkins 2.128 Weekly 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jekins-2128-weekly-windows-2016.html

[研究] Jenkins 2.121.1 LTS 安裝 (Windows 2016)
https://shaurong.blogspot.com/2018/06/jekins-21211-lts-windows-2016.html

[研究] Jenkins 2.68.1-1 安裝 (CentOS 7.3 x64)
https://shaurong.blogspot.com/2017/07/jenkins-2681-1-centos-73-x64.html

[研究] Jenkins 1.635 安裝 (CentOS 7.1 x64)
https://shaurong.blogspot.com/2015/10/jenkins-1635-centos-71-x64.html

[研究] Jenkins 1.635 安裝 (Windows 2012 R2)
https://shaurong.blogspot.com/2015/10/jenkins-1635-windows-2012-r2.html


[研究]讓 XCOPY 時候不要問「是否指定目標檔案 名稱或目標目錄名稱 (F = 檔案,D = 目錄)?」

[研究]讓 XCOPY 時候不要問「是否指定目標檔案 名稱或目標目錄名稱 (F = 檔案,D = 目錄)?」

2021-08-11


C:\>XCOPY S:\Temp\ABC.txt  C:\Temp\ABC.txt  /Y   
C:\Temp\ABC.txt 是否指定目標檔案
名稱或目標目錄名稱
(F = 檔案,D = 目錄)

因為要在 .BAT 拷貝一堆不同目錄的檔案,所以不希望被詢問,可多加 echo F | 來回答 (用管線 pipe 把 F 值送給後面指令)


C:\> echo F  |  XCOPY S:\Temp\ABC.txt  C:\Temp\ABC.txt  /Y   
C:\Temp\ABC.txt 是否指定目標檔案
名稱或目標目錄名稱
(F = 檔案,D = 目錄)? F
S:\Temp\ABC.txt
已複製 1 個檔案

(完)

2021年8月10日 星期二

[研究]Forify SCA 的 Open Redirect 問題(四)用 ASP.NET + JavaScript 來解決

[研究]Forify SCA 的 Open Redirect 問題(四)用 ASP.NET + JavaScript 來解決

2021-08-10

[研究]Forify SCA 的 Open Redirect 問題(一)重導 Response.Redirect() 與 Server.Transfer()
https://shaurong.blogspot.com/2021/07/aspnetfortify-sca-open-redirect.html

[研究]Forify SCA 的 Open Redirect 問題(二)ckeditor 的 tmpFrameset.html
https://shaurong.blogspot.com/2021/07/aspnetfortify-scatmpframesethtmlopen.html

[研究]Forify SCA 的 Open Redirect 問題(三)回到上一頁按鈕、返回按鈕https://shaurong.blogspot.com/2021/08/aspnet-fortify-scaopen-redirect.html

[研究]Forify SCA 的 Open Redirect 問題(四)用 ASP.NET + JavaScript 來解決http://shaurong.blogspot.com/2021/08/forify-sca-open-redirect-aspnet.html

突然想到 ASP.NET + JavaScript 方式可否順利重導,不被 Micro Focus Forify SCA (Static Code Analyzer ) 原始碼掃描 報告有 Open Redirect 問題呢?測試了一下


protected void Button4_Click(object sender, EventArgs e)
{
    // similar behavior as an HTTP redirect
    // Fortify SCA 的 Open Redirect 問題過關
    Response.Write("<script language=javascript>window.location.replace('http://www.hinet.net');</script>");
}

protected void Button5_Click(object sender, EventArgs e)
{
    // similar behavior as clicking on a link
    // Fortify SCA 的 Open Redirect 問題過關
    Response.Write("<script language=javascript>window.location.href = 'http://www.hinet.net';</script>");
}

protected void Button6_Click(object sender, EventArgs e)
{
    // similar behavior as an HTTP redirect
    // 把網址手動改成 http://localhost:1669/Default2.aspx?reurl=www.hinet.net ,測試失敗,
    //     網址變成 http://localhost:1669/www.hinet.net
    // 把網址手動改成 http://localhost:1669/Default2.aspx?reurl=http://www.hinet.net ,測試成功
    // Fortify SCA 的 Open Redirect 問題過關
    string reUrl = Request.QueryString["reUrl"].ToString();
    Response.Write("<script language=javascript>window.location.replace('" + reUrl + "');</script>");
}

protected void Button7_Click(object sender, EventArgs e)
{
    // similar behavior as clicking on a link
    // 把網址手動改成 http://localhost:1669/Default2.aspx?reurl=www.hinet.net ,測試失敗
    //     網址依然沒變,畫面也沒轉走
    // 把網址手動改成 http://localhost:1669/Default2.aspx?reurl=http://www.hinet.net ,測試失敗,
    //     網址變成 http://localhost:1669/Default2.aspx?reurl=http%3a%2f%2fwww.hinet.net ,畫面沒轉走
    // Fortify SCA 的 Open Redirect 問題過關
    string reUrl = Request.QueryString["reUrl"].ToString();
    Response.Write("<script language=javascript>window.location.href = ''" + reUrl + "'';</script>");
}

protected void Button8_Click(object sender, EventArgs e)
{
    // similar behavior as clicking on a link
    // 把網址手動改成 http://localhost:1669/Default2.aspx?reurl=www.hinet.net ,測試失敗
    //     網址依然沒變,畫面也沒轉走
    // 把網址手動改成 http://localhost:1669/Default2.aspx?reurl=http://www.hinet.net ,測試成功,
    // Fortify SCA 會報告 Open Redirect 問題
    string reUrl = Request.QueryString["reUrl"].ToString();
    Response.Redirect(reUrl);
}

終於找到一個不用 Server.Transfer(),而且轉址的參數是變動的的解法。

(甚至可以是外部網址) 

(完)

[研究]Forify SCA 的 Open Redirect 問題(三)回到上一頁按鈕、返回按鈕

[研究][ASP.NET] Fortify SCA、回到上一頁、Open Redirect 測試

2021-08-10
2022-06-29 更新

續這篇

 [研究][ASP.NET]Micro Focus Fortify Static Code Analyzer (SCA) 報告Response.Redirect有Open Redirect問題
http://shaurong.blogspot.com/2021/07/aspnetfortify-sca-open-redirect.html

Micro Focus Fortify SCA ( Static Code Analyzer ) 源碼掃描工具對某些轉址會報告 Open Redirect 問題,本篇測試「回到上一頁」按鈕 (「返回」按鈕) 的幾種做法,是否可以通過 Open Redirect 檢查。

環境:Visual Studio 2019 + WebFrom + Web Application + C#

Default.aspx (如下)


<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="URLBugDemo.Default" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
        <div>
            <asp:HyperLink ID="HyperLink1" NavigateUrl="Default2.aspx" runat="server">Default2.aspx</asp:HyperLink><br />
            或<br />
            <a href="Default2.aspx">Default2.aspx</a>
        </div>
    </form>
</body>
</html>

Default.aspx.cs


namespace URLBugDemo
{
    public partial class Default : System.Web.UI.Page
    {
        
    }
}

Default2.aspx


<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default2.aspx.cs" Inherits="URLBugDemo.Default2" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
        <div>
            <input type="button" onclick="javascript:window.history.go(-1);"value="返回上一頁1" />
            <a href="#" onclick="javascript:history.back();">返回前一頁2</a>
            <asp:Button ID="Button1" runat="server" Text="返回上一頁3" OnClick="Button1_Click" />
            <asp:Button ID="Button2" runat="server" Text="返回上一頁4" OnClick="Button2_Click" />
            <asp:Button ID="Button3" runat="server" Text="返回上一頁5" OnClick="Button3_Click" />
        </div>
    </form>
</body>
</html>

Default2.aspx.cs


using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security.AntiXss;

namespace URLBugDemo
{
    public partial class Default2 : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                // 除非有 100% 把握這一頁一定從別網頁連過來,
                // 否則應該要測試 Request.UrlReferrer 是否為 null
                // 否則會出現「並未將物件參考設定為物件的執行個體。」
                if (Request.UrlReferrer != null)
                    ViewState["UrlReferrer"] = Request.UrlReferrer.ToString();
            }
        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            // 會看到舊的、Cache 住的畫面
            // 測試正常,Fortify SCA 不會報告 Open Redirect 
// 就算不是別的網頁連過來,按鈕按下也不會出錯 Response.Write("<script language=javascript>history.go(-2);</script>");
} protected void Button2_Click(object sender, EventArgs e) { if (ViewState["UrlReferrer"] != null) // 實際測試,下面 Fortify SCA 會報告 Open Redirect Response.Redirect(ViewState["UrlReferrer"].ToString()); else Response.Write("對不起,當前是最前頁"); } protected void Button3_Click(object sender, EventArgs e) { // 網址寫死,Fortify SCA 不會報告 Open Redirect // 就算不是別的網頁連過來,按鈕按下也不會出錯 Response.Redirect("~/Default.aspx"); } } }

********************************************************************************

2022-06-29 補

Response.Write("<script language=javascript>history.go(-2);</script>");

回到的畫面,是 cache 的畫面,如果在本畫面新增一筆資料,用此種方式回到該畫面,GridView 不會自動重新 DataBind,看到的是尚未新增一筆的畫面。

(完)

2021年8月7日 星期六

[研究]Fortify SCA Scan Wizard 的 MSBuild 或 Visual Studio 無法運作之解決

[研究]Fortify SCA Scan Wizard 的 MSBuild  或 Visual Studio 無法運作之解決 - 'MSBuild' 不是內部或外部命令、可執行的程式或批次檔。

2021-08-07

 若勾選 MSBuild ( 無法同時勾2個)


D:\CODE\WebApplication2>FortifyWebApplication2Build.bat
Extracting Arguments File Cleaning previous scan artifacts Running Build Integration 'MSBuild' 不是內部或外部命令、可執行的程式或批次檔。 Testing Difference between Translations [error]: Unable to load build session with ID "WebApplication2". See log file for more details.
It appears to be the first time running this script, setting "FortifyWebApplication2Build.bat.fileno" to 0 Starting scan [error]: Unable to load build session with ID "WebApplication2". See log file for more details.
sourceanalyzer failed, exiting D:\CODE\WebApplication2>

若勾選 Visual Studio  ( 無法同時勾2個)


D:\CODE\WebApplication2>FortifyWebApplication2VS.bat
Extracting Arguments File Cleaning previous scan artifacts Running Build Integration 'MSBuild' 不是內部或外部命令、可執行的程式或批次檔。 Testing Difference between Translations [error]: Unable to load build session with ID "WebApplication2". See log file for more details.
It appears to be the first time running this script, setting "FortifyWebApplication2VS.bat.fileno" to 0
Starting scan [error]: Unable to load build session with ID "WebApplication2". See log file for more details.
sourceanalyzer failed, exiting D:\CODE\WebApplication2>

.NET Framework 或 Visual Studio 都有提供 MSBuild.exe,但是預設是無法執行到。PATH 環境變數沒有包含它。



搜尋一下 MSBuild.exe 在哪個目錄。

Everythiny (快速搜尋工具)



選一個較新的 x86 或 x64 版的,設定其路徑在 PATH 環境變數中。
( 選 x86 失敗,就改用 x64;選 x64 失敗,就改用 x86;依據你的程式可能不同)
( Windows 若為 x64,建議先選 x64 的)

敝人曾選 .NET x64 目錄下的,不能用;改選 Visual Studio 目錄下的可用。








編輯完記得一路按下「確定」按鈕,讓設定生效。

另外,設定前已經開啟的「命令提示字元」視窗是無用的,請開啟一個新的「命令提示字元」視窗使用。

可以執行到MSbuild.exe 了

C:\>msbuild -ver
Microsoft (R) Build Engine for .NET Framework 17.2.1+52cd2da31 版
Copyright (C) Microsoft Corporation. 著作權所有,並保留一切權利。

17.2.1.25201
C:\>

開始掃描

D:\CODE\WebApplication2>FortifyWebApplication2Build.bat

Extracting Arguments File

Cleaning previous scan artifacts

Running Build Integration

C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\MSBuild.exe /fileLogger /nologo /binaryLogger:LogFile=C:\Users\Administrator\AppData\Local\Fortify\sca21.1\build\WebApplication2\scratch\MSBuildPlugin\logs\MSBuildIntegration.binlog;ProjectImports=ZipFile /consoleloggerparameters:Summary /fileloggerparameters:LogFile=C:\Users\Administrator\AppData\Local\Fortify\sca21.1\build\WebApplication2\scratch\MSBuildPlugin\logs\MSBuildIntegration.log;Verbosity=minimal;Encoding=UTF-8 /maxcpucount:1 /p:CustomAfterMicrosoftCommonTargets=C:\Program Files\Fortify\Fortify_SCA_and_Apps_21.1.2\Core/private-bin/sca/msbuildplugin/Fortify.targets /p:Configuration=Debug /p:Platform=Any CPU /target:rebuild /verbosity:quiet D:\CODE\WebApplication2\WebApplication2.sln
... (略)

成功了

(完)