Release Notes: Mitto Version 3.4.2

Breaking Changes

None

Issues Resolved in this Release

New Feature

Issue

Summary

Description

Status

MIT-3304

Add ssl trust option for supervisor

Addition of support for the Runner to use Self-Signed SSL Certificates, and have those trusted within the Supervisor Service.

Done

Improvement

Issue

Summary

Description

Status

MIT-3306

JSONL inputter add support for relative path

The JSONL inputter for “JSON Lines” was unable to use RegEx for source file selection. This has been implemented, bringing support for RegEx input file selection to JSONL files to parity with the other flat file inputters.

In Testing

MIT-3296

Internal IP Address - HTTP Headers

Private IP addresses were being presented in the HTTP headers response, exposing potentially sensitive details about the Runner installation. This is now resolved.

Done

MIT-3295

Missing HTTP Header - Strict-Transport-Security

Strict Transport Security has been implemented in the HTTP headers. This will ensure that the HTTPS schema will always be used for Runner UI sessions.

Done

MIT-3294

JWT - Excessive Token Lifetime

JSON Web Token (JWT) used to control authenticated session expiration is now limited to 8 hours, working to prevent session compromise and replay.

Done

MIT-3293

Cross-Site Scripting - Reflected

A cross site scripting vulnerability was identified, potentially risking the execution of arbitrary code. This has been resolved.

Done

MIT-3292

Missing Cookie Flag - HTTPOnly

A cross site scripting vulnerability was identified, potentially allowing a cookie exploit to compromise a user session. This is now resolved.

Done

MIT-3291

file manager directory traversal

The Runner File Manager was permitting user input to act on filesystem objects outside of the /var/mitto/data area of the Runner instance, potentially exposing access to system and application files. This is now resolved.

Done

MIT-3289

Improve cache control

Cached data is restricted with the no-store HTTP flag, preventing compromise of sensitive data via the browser cache. This also limits how intermediary elements, such as proxies and CDNs, will handle the data after the user session.

Done

MIT-3288

database credentials are present in server response

Some UI operations, in particular some of the v2 wizards, the server response included clear text database credentials. These were not user visible, but could be viewed using browser debugging tools. This is corrected.

Done

MIT-3287

Missing HTTP Header - Content-Security-Policy

The Content Security Policy Header has been implemented, working to mitigate cross site scripting vulnerabilities and to prevent injection of arbitrary code.

Done

MIT-3286

Misconfigured HTTP Header - X-Frame-Options

An HTTP header was mis-configured, exposing a possible cross site scripting vulnerability. This is resolved, forcing to the SAMEORIGIN option.

Done

MIT-3284

File Manager Search: display paginated results in the page

Initially, the Runner File Manager Search results were displayed in a pop-up list frame. The Search results are now directed to the main frame of the UI, permitting user interaction with the results. In cases where a large number of results are displayed, the file list can be navigated over multiple pages.

Done

MIT-3274

File manager slow with many files

File and directory display is optimized for improve page navigation responsiveness when there is a large of files on the /var/mitto/data filesystem.

Done

MIT-3270

display reason that upgrade is available

When there is a Runner software update available, the user can view the “reason” for the upgrade by clicking the “You have new software update available to download” message. The update message will show which Runner, Docker or Connector is being updated with a new release.

Done

MIT-2611

add ability to output to xls and xlsx files

Runner is now enabled to use XLS and XLSX files are output destinations within IO jobs. The user may optionally use variables within the filenames. To use this, the output directive will reference the path for the destination file (example: `path: /var/mitto/data/outputxlsx{year}

Done

Bug

Issue

Summary

Description

Status

MIT-3332

supervisor service: breaking changes in docker compose ps --format json output (from compose 2.21)

Docker Compose output format was adjusted to resolve a breaking change in the container build process.

Done

MIT-3330

Two licenses for one plugin

Licensing configuration for a Runner’s connector can produce two license keys, one for Product Version and another for Base Product Version. This resolution will select the more recent of the available versions.

Done

MIT-3277

Error after click on tag from job details row

An error occurs when the user filters the Job list by clicking a tag from the Tags column header, then selecting a different tag from the drop-down filter selector menu. This is now resolved.

Done

MIT-3273

File Manager ‘expand’ arrow icon visible when no subdirectories are present

The File Manager tree view showed the expand contents arrow icon when no subdirectories are present. This was confusing behavior; the arrow is no longer displayed on the folder when there are no subdirectories contained.

Done

MIT-3260

Updated sass module fails image build

An updated version of the Javascript SASS module was failing the build process. This is now pinned to the working version.

Done

MIT-3255

Files - directory/folder drag & drop copies contents without parent directory

When uploading a directory and its files to the File Manager, the upload used the file names only, resulting in all files being stored in the base of the directory (not honoring the original directory structure). This is resolved by uploading with the context of directory and file names both.

Done

MIT-3252

Files - Looping when opening folders

The File Manager UI could get into state of repeated looping of new folder structures being displayed. This was a UI defect, not reflecting actual directory structures being applied to the filesystem storage.

Done

MIT-3236

UI - Show spinner before initial request

A visual progress indicator is added to the initial login page, to avoid the user thinking that Runner is not responding or in a hung state.

Done

MIT-3177

artifacts in IMAP job credentials pulldown

In the IMAP wizard credentials page, when there are no existing credentials, the pull down renders with an odd visual artifact. This is resolved.

Done

MIT-1644

add “path” or equivalent to RegEx plugin input to allow for RegEx on files in subdirectories of /var/mitto/data

The RegEx inputter for source file selection is updated to include subdirectories within the /var/mitto/data filesystem.

Done