# Issues Resolved in this Release ## New Feature | Issue | Summary | Description | Status | |--------------------------------------------------------------------------|-------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|----------| | [MIT-3304](https://zuarkb.atlassian.net/browse/MIT-3304/browse/MIT-3304) | Add ssl trust option for supervisor | Addition of support for the Runner to use Self-Signed SSL Certificates, and have those trusted within the Supervisor Service. | Done | ## Improvement | Issue | Summary | Description | Status | |--------------------------------------------------------------------------|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------| | [MIT-3306](https://zuarkb.atlassian.net/browse/MIT-3306/browse/MIT-3306) | JSONL inputter add support for relative path | The JSONL inputter for "JSON Lines" was unable to use RegEx for source file selection. This has been implemented, bringing support for RegEx input file selection to JSONL files to parity with the other flat file inputters. | In Testing | | [MIT-3296](https://zuarkb.atlassian.net/browse/MIT-3296/browse/MIT-3296) | Internal IP Address - HTTP Headers | Private IP addresses were being presented in the HTTP headers response, exposing potentially sensitive details about the Runner installation. This is now resolved. | Done | | [MIT-3295](https://zuarkb.atlassian.net/browse/MIT-3295/browse/MIT-3295) | Missing HTTP Header - Strict-Transport-Security | Strict Transport Security has been implemented in the HTTP headers. This will ensure that the HTTPS schema will always be used for Runner UI sessions. | Done | | [MIT-3294](https://zuarkb.atlassian.net/browse/MIT-3294/browse/MIT-3294) | JWT - Excessive Token Lifetime | JSON Web Token (JWT) used to control authenticated session expiration is now limited to 8 hours, working to prevent session compromise and replay. | Done | | [MIT-3293](https://zuarkb.atlassian.net/browse/MIT-3293/browse/MIT-3293) | Cross-Site Scripting - Reflected | A cross site scripting vulnerability was identified, potentially risking the execution of arbitrary code. This has been resolved. | Done | | [MIT-3292](https://zuarkb.atlassian.net/browse/MIT-3292/browse/MIT-3292) | Missing Cookie Flag - HTTPOnly | A cross site scripting vulnerability was identified, potentially allowing a cookie exploit to compromise a user session. This is now resolved. | Done | | [MIT-3291](https://zuarkb.atlassian.net/browse/MIT-3291/browse/MIT-3291) | file manager directory traversal | The Runner File Manager was permitting user input to act on filesystem objects outside of the `/var/mitto/data` area of the Runner instance, potentially exposing access to system and application files. This is now resolved. | Done | | [MIT-3289](https://zuarkb.atlassian.net/browse/MIT-3289/browse/MIT-3289) | Improve cache control | Cached data is restricted with the `no-store` HTTP flag, preventing compromise of sensitive data via the browser cache. This also limits how intermediary elements, such as proxies and CDNs, will handle the data after the user session. | Done | | [MIT-3288](https://zuarkb.atlassian.net/browse/MIT-3288/browse/MIT-3288) | database credentials are present in server response | Some UI operations, in particular some of the v2 wizards, the server response included clear text database credentials. These were not user visible, but could be viewed using browser debugging tools. This is corrected. | Done | | [MIT-3287](https://zuarkb.atlassian.net/browse/MIT-3287/browse/MIT-3287) | Missing HTTP Header - Content-Security-Policy | The Content Security Policy Header has been implemented, working to mitigate cross site scripting vulnerabilities and to prevent injection of arbitrary code. | Done | | [MIT-3286](https://zuarkb.atlassian.net/browse/MIT-3286/browse/MIT-3286) | Misconfigured HTTP Header - X-Frame-Options | An HTTP header was mis-configured, exposing a possible cross site scripting vulnerability. This is resolved, forcing to the `SAMEORIGIN` option. | Done | | [MIT-3284](https://zuarkb.atlassian.net/browse/MIT-3284/browse/MIT-3284) | File Manager Search: display paginated results in the page | Initially, the Runner File Manager Search results were displayed in a pop-up list frame. The Search results are now directed to the main frame of the UI, permitting user interaction with the results. In cases where a large number of results are displayed, the file list can be navigated over multiple pages. | Done | | [MIT-3274](https://zuarkb.atlassian.net/browse/MIT-3274/browse/MIT-3274) | File manager slow with many files | File and directory display is optimized for improve page navigation responsiveness when there is a large of files on the `/var/mitto/data` filesystem. | Done | | [MIT-3270](https://zuarkb.atlassian.net/browse/MIT-3270/browse/MIT-3270) | display reason that upgrade is available | When there is a Runner software update available, the user can view the "reason" for the upgrade by clicking the "You have new software update available to download" message. The update message will show which Runner, Docker or Connector is being updated with a new release. | Done | | [MIT-2611](https://zuarkb.atlassian.net/browse/MIT-2611/browse/MIT-2611) | add ability to output to xls and xlsx files | Runner is now enabled to use XLS and XLSX files are output destinations within IO jobs. The user may optionally use variables within the filenames. To use this, the `output` directive will reference the `path` for the destination file (example: `path: /var/mitto/data/output_xlsx_{year} | Done | ## Bug | Issue | Summary | Description | Status | |--------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| | [MIT-3332](https://zuarkb.atlassian.net/browse/MIT-3332/browse/MIT-3332) | supervisor service: breaking changes in `docker compose ps --format json` output (from compose 2.21) | Docker Compose output format was adjusted to resolve a breaking change in the container build process. | Done | | [MIT-3330](https://zuarkb.atlassian.net/browse/MIT-3330/browse/MIT-3330) | Two licenses for one plugin | Licensing configuration for a Runner's connector can produce two license keys, one for `Product Version` and another for `Base Product Version.` This resolution will select the more recent of the available versions. | Done | | [MIT-3277](https://zuarkb.atlassian.net/browse/MIT-3277/browse/MIT-3277) | Error after click on tag from job details row | An error occurs when the user filters the Job list by clicking a tag from the `Tags` column header, then selecting a different tag from the drop-down filter selector menu. This is now resolved. | Done | | [MIT-3273](https://zuarkb.atlassian.net/browse/MIT-3273/browse/MIT-3273) | File Manager 'expand' arrow icon visible when no subdirectories are present | The File Manager tree view showed the `expand contents` arrow icon when no subdirectories are present. This was confusing behavior; the arrow is no longer displayed on the folder when there are no subdirectories contained. | Done | | [MIT-3260](https://zuarkb.atlassian.net/browse/MIT-3260/browse/MIT-3260) | Updated sass module fails image build | An updated version of the Javascript SASS module was failing the build process. This is now pinned to the working version. | Done | | [MIT-3255](https://zuarkb.atlassian.net/browse/MIT-3255/browse/MIT-3255) | Files - directory/folder drag & drop copies contents without parent directory | When uploading a directory and its files to the File Manager, the upload used the file names only, resulting in all files being stored in the base of the directory (not honoring the original directory structure). This is resolved by uploading with the context of directory and file names both. | Done | | [MIT-3252](https://zuarkb.atlassian.net/browse/MIT-3252/browse/MIT-3252) | Files - Looping when opening folders | The File Manager UI could get into state of repeated looping of new folder structures being displayed. This was a UI defect, not reflecting actual directory structures being applied to the filesystem storage. | Done | | [MIT-3236](https://zuarkb.atlassian.net/browse/MIT-3236/browse/MIT-3236) | UI - Show spinner before initial request | A visual progress indicator is added to the initial login page, to avoid the user thinking that Runner is not responding or in a hung state. | Done | | [MIT-3177](https://zuarkb.atlassian.net/browse/MIT-3177/browse/MIT-3177) | artifacts in IMAP job credentials pulldown | In the IMAP wizard credentials page, when there are no existing credentials, the pull down renders with an odd visual artifact. This is resolved. | Done | | [MIT-1644](https://zuarkb.atlassian.net/browse/MIT-1644/browse/MIT-1644) | add "path" or equivalent to RegEx plugin input to allow for RegEx on files in subdirectories of /var/mitto/data | The RegEx inputter for source file selection is updated to include subdirectories within the `/var/mitto/data` filesystem. | Done |