RhodeCode 4.12 Release: Security improvements and SVN integrations.

Published on May 21, 2018, by Marcin Kuzminski


This is a scheduled release that adds an important SSH security fix, enables the integration framework for
SVN repositories, and introduces a new automation task that enables bi-directional sync of repositories.

This release highlights are:

  • Important Security fix for SSH backend.
  • All integrations like Slack, email, Jenkins now are enabled for SVN backend.
  • Added new dedicated Jenkins integration with the support of CSRF authentication.
  • RhodeCode instances can now automatically push or pull from/to remote locations.
  • Speed up pull request display speed by introducing diff-caches.
  • Exposed public user group profiles.

Take a few minutes to update your RhodeCode instance:
rccontrol self-update && rccontrol upgrade '*'

New to RhodeCode? Download the latest RhodeCode 4.12 Series from our website.
Keep reading for full release details.

Security

An important security vulnerability was discovered by an independent researcher on RhodeCode SSH implementation.
Fix was implemented in 4.12 series that addresses this vulnerability. We'll provide more details on this once we know most of the users already
upgraded. If you use SSH we encourage to upgrade to 4.12 release, and re-generate the keys using a link named Update SSH keys file that can be found under admin > permissions > ssh keys.

Following best practices, we also changed a way on how new email addresses are added.
Now adding new email in my account requires providing user access password.
This prevents from an unauthorized addition of a recovery email by a hacker who gains access to logged in session of RhodeCode user and only works for built-in accounts.

SVN integrations

RhodeCode built-in Integrations framework allows connecting to various 3rd party services and triggering actions based on events that are
happening inside the system. In Short, events such as push, create of pull requests, creation of user is translated to emails, Slack/Jira messages, or Webhook calls.

This framework before didn't work for SVN repositories. Since 4.12 we re-built the SVN hook support and this allowed us to also enable our
integration framework to work with SVN type repositories too. Connecting SVN repositories with Slack, or CI servers is now much easier and built-in into RhodeCode itself.

RhodeCode integrations

In Addition, we did small changes to JIRA integration that now allows specifying a proxy server for instances behind a proxy-prefix.

Dedicated JENKINS integration

Jenkins is the most popular CI server used with RhodeCode Source Code Management platform. We decided to build a dedicated Jenkins integration
to address certain limitations of Webhook Integration. Our new dedicated Jenkins integration can handle CSRF token feature of Jenkins, and works
with regular push type events as well as pull request type events.

Diffs and Pull Requests

Like in the previous release we continuously try to improve RhodeCode performance. In the 4.12 release, we're introducing a new feature
called diff caches. In short, this allows storing parsed, syntax highlighted diffs in optimized fast access on-disk files.
This works for individual commits as well as whole pull requests diff view.

In cases of editing huge XML files, or generally large complex files loading diffs could consume a lot of resources.
This combined with Pull Requests that could have potentially hundreds of such files could lead to very long load times.
For example, displaying a diff (after increasing diff parse limits) of initial RhodeCode 4.X commit with 1365 files changed, 696516 insertions took 180s, after enabling diff-cache this takes roughly 2s.

Due to this change showing large and complex pull requests should be much faster, improving the user experience. There's one very important change that comes with this functionality.
With diff caches enabled old, and closed pull-requests can be now displayed even after removing all commits from the source repository, and no longer require the shadow repositories to be present.
This adds great auditing capabilities and allows saving lots of space by reducing requirements for keeping a large number of forks.

Diff caches can be enabled per repository under VCS settings, or globally on all repositories under admin > settings > VCS settings.

As an extra bonus diffs use now a new structure that allows the diff content to be copied without line numbers directly from the diff view.

RhodeCode Diffs example

Automation GEO sync

In release 4.11 we introduced a new feature called RhodeCode Scheduler. This low-level API allows running periodic scheduled tasks from RhodeCode system.
We use this feature to introduce new dedicated automation tasks for repositories. Each repository can now run one of the following tasks:

  • Maintainance
  • Remote Pull
  • Remote Push

The maintenance task is quite simple and allows a periodic check of repository filesystem consistency, or execute garbage collection of loose objects for GIT repositories.

For the Remote tasks, it's possible to set individual pull/push remote URLs which are stored as encrypted in the database.
With those and the automation framework, you can create things like GEO replicas, or set automatic
syncing to 3rd party repositories such as Github or Bitbucket. Here are few examples of what this feature can be used for:

  • Use Periodic pull to have a fast access node for a faster clone of repositories in a different location, or for CI usage.
  • Use Periodic push to have your changes from local instance to be sent to other servers such as public Github profile
  • Use Periodic pull to fetch some externally hosted projects for local usage. e.g upstream repository group with local copies of used dependencies for local analysis, or fast access.

Those are just a few examples, but we believe this feature will allow scaling integration of RhodeCode inside organizations with sophisticated requirements in regards to data access and high availability.

Other notable changes

  • System info: added ulimit to system info.
  • LDAP: enable connection recycling on LDAP plugin.
  • Fixed issues with proper timezone detection for certain timezones.

Summary

See the full list of changes in the release notes.

As usual, the update process is a simple one-liner type:
rccontrol self-update && rccontrol upgrade '*'
in the command line interface. Done!

Sincerely yours,
The RhodeCode team.


comments powered by Disqus