Merged in JDCMT-208-resolve-security-hotspots (pull request #45)

JDCMT-208 resolved security hotspots + code coverage on new code

* JDCMT-208 resolved security hotspots

* JDCMT-208 unit-tests for new code

* JDCMT-208 resolved code smells

* JDCMT-208 resolved code smells #2


Approved-by: Volodymyr Batrukh

Author: zakharlistiev

src/MicrosoftTeamsIntegration.Artifacts/Bots/Middleware/ConsoleOutputMiddleware.cs

@@ -9,10 +9,10 @@ namespace MicrosoftTeamsIntegration.Artifacts.Bots.Middleware
 {
     public class ConsoleOutputMiddleware : IMiddleware
     {
-        public async Task OnTurnAsync(ITurnContext context, NextDelegate next, CancellationToken cancellationToken = default(CancellationToken))
+        public async Task OnTurnAsync(ITurnContext turnContext, NextDelegate next, CancellationToken cancellationToken = default(CancellationToken))
         {
-            LogActivity(string.Empty, context.Activity);
-            context.OnSendActivities(OnSendActivitiesAsync);
+            LogActivity(string.Empty, turnContext.Activity);
+            turnContext.OnSendActivities(OnSendActivitiesAsync);
 
             await next(cancellationToken).ConfigureAwait(false);
         }

src/MicrosoftTeamsIntegration.Artifacts/Bots/Middleware/SetLocaleMiddleware.cs

@@ -15,9 +15,9 @@ public SetLocaleMiddleware(string defaultLocale)
             _defaultLocale = defaultLocale ?? throw new ArgumentNullException(nameof(defaultLocale));
         }
 
-        public async Task OnTurnAsync(ITurnContext context, NextDelegate next, CancellationToken cancellationToken = default(CancellationToken))
+        public async Task OnTurnAsync(ITurnContext turnContext, NextDelegate next, CancellationToken cancellationToken = default(CancellationToken))
         {
-            var cultureInfo = !string.IsNullOrWhiteSpace(context.Activity.Locale) ? new CultureInfo(context.Activity.Locale) : new CultureInfo(this._defaultLocale);
+            var cultureInfo = !string.IsNullOrWhiteSpace(turnContext.Activity.Locale) ? new CultureInfo(turnContext.Activity.Locale) : new CultureInfo(this._defaultLocale);
 
             CultureInfo.CurrentUICulture = CultureInfo.CurrentCulture = cultureInfo;
 

src/MicrosoftTeamsIntegration.Jira/ClientApp/src/app/components/issues/create-comment-dialog/create-comment-dialog.component.ts

@@ -1,6 +1,5 @@
 import { Component, OnInit, Input } from '@angular/core';
 import { FormGroup, FormControl, Validators, AbstractControl } from '@angular/forms';
-import { MatDialogConfig, MatDialog } from '@angular/material/dialog';
 import { ActivatedRoute } from '@angular/router';
 import { ListKeyManager, ListKeyManagerOption } from '@angular/cdk/a11y';
 import { UP_ARROW, DOWN_ARROW, ENTER, TAB } from '@angular/cdk/keycodes';
@@ -41,7 +40,6 @@ export class CreateCommentDialogComponent implements OnInit {
         private apiService: ApiService,
         private commentService: IssueCommentService,
         private route: ActivatedRoute,
-        public dialog: MatDialog,
         private utilService: UtilService,
         private appInsightsService: AppInsightsService,
         private errorService: ErrorService,
@@ -220,10 +218,6 @@ export class CreateCommentDialogComponent implements OnInit {
         this.disableActiveListItem();
     }
 
-    private handleListMouseover() {
-        this.disableActiveListItem();
-    }
-
     private disableActiveListItem() {
         this.activeIssue = null;
     }

src/MicrosoftTeamsIntegration.Jira/ClientApp/src/index.html

@@ -30,8 +30,8 @@
     <app-root></app-root>
 
     <script src="https://secure.aadcdn.microsoftonline-p.com/lib/1.0.17/js/adal.min.js"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/bluebird/3.5.5/bluebird.min.js"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/fetch/3.0.0/fetch.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/bluebird/3.5.5/bluebird.min.js" integrity="sha384-MQm/RB2S9xe8tOzJOxm1tStfq3axjZGrhVNWMjblO5fJcgn/gVhx4W5gxzvrcmOl" crossorigin="anonymous"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/fetch/3.0.0/fetch.min.js" integrity="sha384-5B8/4F9AQqp/HCHReGLSOWbyAOwnJsPrvx6C0+VPUr44Olzi99zYT1xbVh+ZanQJ" crossorigin="anonymous"></script>
 
     <!-- cookie consent -->
     <script type="text/javascript">

src/MicrosoftTeamsIntegration.Jira/ClientApp/src/loginResult.html

@@ -4,7 +4,7 @@
     <meta charset="utf-8" />
     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
     <title>Jira for Microsoft Teams - Login Result</title>
-    <script src="https://statics.teams.microsoft.com/sdk/v1.5.2/js/MicrosoftTeams.min.js"></script>
+    <script src="https://statics.teams.microsoft.com/sdk/v1.5.2/js/MicrosoftTeams.min.js" integrity="sha384-TJ2M0tW5fxu25/LwZie10M5O53iP1Q5FweiXk5rvfTHmvA7x2a6I9+KKi2pjAk6k" crossorigin="anonymous"></script>
     <script src="https://secure.aadcdn.microsoftonline-p.com/lib/1.0.17/js/adal.min.js"></script>
     <link rel="stylesheet" href="https://aui-cdn.atlassian.com/aui-adg/6.0.9/css/aui.min.css">
 </head>

src/MicrosoftTeamsIntegration.Jira/Exceptions/BadRequestException.cs

@@ -1,12 +1,19 @@
 using System;
+using System.Runtime.Serialization;
 
 namespace MicrosoftTeamsIntegration.Jira.Exceptions
 {
+    [Serializable]
     public class BadRequestException : Exception
     {
         public BadRequestException(string message)
             : base(message)
         {
         }
+
+        protected BadRequestException(SerializationInfo serializationInfo, StreamingContext streamingContext)
+            : base(serializationInfo, streamingContext)
+        {
+        }
     }
 }

src/MicrosoftTeamsIntegration.Jira/Services/BotMessagesService.cs

@@ -222,7 +222,7 @@ public async Task SendAuthorizationCard(ITurnContext turnContext, string jiraUrl
             await turnContext.SendToDirectConversationAsync(message, cancellationToken: cancellationToken);
         }
 
-        private async Task SendWelcomeCard(ITurnContext turnContext, IConnectorClient connectorClient, Activity activity, bool isGroupConversation, CancellationToken cancellationToken)
+        private static async Task SendWelcomeCard(ITurnContext turnContext, IConnectorClient connectorClient, Activity activity, bool isGroupConversation, CancellationToken cancellationToken)
         {
             string welcomeText =
                 "- **View your work** in a tab via a Jira filter or see issues that are assigned to, reported by or watched by you.\n- **Search** for Jira issues right within message extension or bot command\n- **Update issues** or **add comments** right in your conversation with a bot so you can focus on your work and avoid context switching between your web browser and Teams";

tests/MicrosoftTeamsIntegration.Jira.Tests/Bots/Middleware/ConsoleOutputMiddlewareTests.cs

@@ -0,0 +1,58 @@
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Bot.Builder;
+using Microsoft.Bot.Schema;
+using MicrosoftTeamsIntegration.Artifacts.Bots.Middleware;
+using Moq;
+using Xunit;
+
+namespace MicrosoftTeamsIntegration.Jira.Tests.Bots.Middleware;
+
+public class ConsoleOutputMiddlewareTests
+{
+    [Fact]
+    public async Task OnTurnAsync_Should_LogMessageActivity_And_CallNext()
+    {
+        const string testMessage = "Test message";
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var activity = new Activity(ActivityTypes.Message) { Text = testMessage };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+        var middleware = new ConsoleOutputMiddleware();
+
+        using (var consoleOutput = new ConsoleOutput())
+        {
+            await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+            var output = consoleOutput.GetOutput();
+            Assert.Contains(testMessage, output);
+        }
+
+        mockTurnContext.Verify(c => c.Activity, Times.Once);
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task OnTurnAsync_Should_LogEventActivity_And_CallNext()
+    {
+        const string testEvent = "Test event";
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var activity = new Activity(ActivityTypes.Event) { Name = testEvent };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+        var middleware = new ConsoleOutputMiddleware();
+
+        using (var consoleOutput = new ConsoleOutput())
+        {
+            await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+            var output = consoleOutput.GetOutput();
+            Assert.Contains(testEvent, output);
+        }
+
+        mockTurnContext.Verify(c => c.Activity, Times.Once);
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+}

tests/MicrosoftTeamsIntegration.Jira.Tests/Bots/Middleware/EventDebuggerMiddlewareTests.cs

@@ -0,0 +1,100 @@
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Bot.Builder;
+using Microsoft.Bot.Schema;
+using MicrosoftTeamsIntegration.Artifacts.Bots.Middleware;
+using Moq;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using Xunit;
+
+namespace MicrosoftTeamsIntegration.Jira.Tests.Bots.Middleware;
+
+public class EventDebuggerMiddlewareTests
+{
+    [Fact]
+    public async Task OnTurnAsync_Should_ConvertMessageToEvent_When_TextStartsWithEvent()
+    {
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var json = JsonConvert.SerializeObject(new { Name = "testEvent", Text = "testText", Value = "testValue" });
+        var activity = new Activity(ActivityTypes.Message) { Text = $"/event:{json}" };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+        var middleware = new EventDebuggerMiddleware();
+
+        await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+        Assert.Equal(ActivityTypes.Event, activity.Type);
+        Assert.Equal("testEvent", activity.Name);
+        Assert.Equal("testText", activity.Text);
+        Assert.Equal("testValue", activity.Value);
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task OnTurnAsync_Should_ConvertMessageToEvent_When_ValueContainsEvent()
+    {
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var value = new JObject
+        {
+            ["event"] = true,
+            ["name"] = "testEvent",
+            ["text"] = "testText",
+            ["value"] = "testValue"
+        };
+        var activity = new Activity(ActivityTypes.Message) { Value = value.ToString(), Text = "some text" };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+        var middleware = new EventDebuggerMiddleware();
+
+        await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+        Assert.Equal(ActivityTypes.Event, activity.Type);
+        Assert.Equal("testEvent", activity.Name);
+        Assert.Equal("testText", activity.Text);
+        Assert.Equal("testValue", activity.Value);
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task OnTurnAsync_Should_NotConvertMessageToEvent_When_TextDoesNotStartWithEvent()
+    {
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var activity = new Activity(ActivityTypes.Message) { Text = "regular text message" };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+        var middleware = new EventDebuggerMiddleware();
+
+        await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+        Assert.Equal(ActivityTypes.Message, activity.Type);
+        Assert.Equal("regular text message", activity.Text);
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task OnTurnAsync_Should_NotConvertMessageToEvent_When_ValueDoesNotContainEvent()
+    {
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var value = new JObject
+        {
+            ["name"] = "testEvent",
+            ["text"] = "testText",
+            ["value"] = "testValue"
+        };
+        var activity = new Activity(ActivityTypes.Message) { Value = value.ToString() };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+        var middleware = new EventDebuggerMiddleware();
+
+        await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+        Assert.Equal(ActivityTypes.Message, activity.Type);
+        Assert.Equal(value.ToString(), activity.Value);
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+}

tests/MicrosoftTeamsIntegration.Jira.Tests/Bots/Middleware/SetLocaleMiddlewareTests.cs

@@ -0,0 +1,51 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Bot.Builder;
+using Microsoft.Bot.Schema;
+using MicrosoftTeamsIntegration.Artifacts.Bots.Middleware;
+using Moq;
+using Xunit;
+
+namespace MicrosoftTeamsIntegration.Jira.Tests.Bots.Middleware;
+
+public class SetLocaleMiddlewareTests
+{
+    [Fact]
+    public void Constructor_Should_ThrowArgumentNullException_When_DefaultLocaleIsNull()
+    {
+        Assert.Throws<ArgumentNullException>(() => new SetLocaleMiddleware(null));
+    }
+
+    [Fact]
+    public async Task OnTurnAsync_Should_SetCultureInfoToActivityLocale()
+    {
+        const string defaultLocale = "en-US";
+        var middleware = new SetLocaleMiddleware(defaultLocale);
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var activity = new Activity { Locale = "fr-FR" };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+
+        await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task OnTurnAsync_Should_SetCultureInfoToDefaultLocale_When_ActivityLocaleIsNullOrWhiteSpace()
+    {
+        const string defaultLocale = "en-US";
+        var middleware = new SetLocaleMiddleware(defaultLocale);
+        var mockTurnContext = new Mock<ITurnContext>();
+        var mockNextDelegate = new Mock<NextDelegate>();
+        var activity = new Activity { Locale = string.Empty };
+        mockTurnContext.Setup(c => c.Activity).Returns(activity);
+        mockNextDelegate.Setup(nd => nd(It.IsAny<CancellationToken>())).Returns(Task.CompletedTask);
+
+        await middleware.OnTurnAsync(mockTurnContext.Object, mockNextDelegate.Object);
+
+        mockNextDelegate.Verify(nd => nd(It.IsAny<CancellationToken>()), Times.Once);
+    }
+}