Skip to content

Merge remote-tracking branch 'powerbi/master' into release-1 #387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 16 commits into from

Conversation

may-hartov
Copy link
Contributor

No description provided.

KotanaSai21 and others added 14 commits April 24, 2023 11:28
Minor version bump 2.22.3
This release will contain 1 change:
Pull Request 383914: [JavaScript SDK]: Add Create export in the JavaScript SDK

We need to release the export of create interface so we can consume it in SDK wrppers
2.22.4 version bump
This version bump includes the upgrade of WPMP from ^2 to ^2.7
…om/en-us/azure/devops/pipelines/process/scheduled-triggers?view=azure-devops&tabs=yaml) to run a weekly build on Saturday at midnight. See [cron syntax](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/scheduled-triggers?view=azure-devops&tabs=yaml#cron-syntax) to adjust the schedule as needed.

This change ensures that this repo meets static analysis requirements as per the [Mandatory SDL Requirement](https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10201).
[FAQs] (https://strikecommunity.azurewebsites.net/articles/9931/continuous-sdl-faq-codeql.html), which requires a fresh codeql build every 30 days.

To check whether your repository has been onboarded visit the [Lookup Service] (https://semmleportal.azurewebsites.net/lookup) and enter your repository URL - you should see the main branch of your repo in the list.
contact [email protected] for further help & details

---

For feedback or questions about this PR, please find the contact information in the above description. If none exists, please contact the [Gardener team](mailto:[email protected]) to help route.

---

This change was automatically generated by [1ES Gardener](https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/gardener/1es-gardener) (a [MerlinBot](https://aka.ms/MerlinBot) extension) which is an initiative by the 1ES team to help repos stay up-to-date with latest tools, features, and best practices.
Updating models version to 1.13.0
#839888 add getSmartNarrativeInsights to report

Related work items: #839888
Following MSRC case as malicious site can be injected as the embed iframe src, added embed URL validation to ensure the host is an allowed PBI src.

A valid embed url protocol is "https:"

The valid hosts names are ([retrieved from EV2-deployment repository - all of ida_PowerBIFeUrl key values](https://dev.azure.com/powerbi/PowerBIClients/_search?action=contents&text=ida_PowerBIFeUrl path%3A*envParams*&type=code&lp=code-Project&filters=ProjectFilters{PowerBIClients}RepositoryFilters{PowerBIClients-EV2-Deployment}&pageSize=25&result=DefaultCollection/PowerBIClients/PowerBIClients-EV2-Deployment/GBmaster//WFE/AppService/ADM/Public/INT/envParams.txt)):

-  app.powerbi.com,
-  app.powerbi.cn,
-   app.powerbigov.us,
-  app.mil.powerbigov.us,
-  app.high.powerbigov.us,
-  app.powerbi.eaglex.ic.gov,
-  app.powerbi.microsoft.scloud,
-   powerbi-df.analysis-df.windows.net,
-   CST WFE URLs: 'https://{cst-name}.analysis.windows-int.net'
-   daily.powerbi.com
-   dxt.powerbi.com
-   msit.powerbi.com

Embed URL validation should include fabric embed URL.

All of the above should be covered by the following regex expressions:

.+\.powerbi.com$
-   daily.powerbi.com
-   dxt.powerbi.com
-   msit.powerbi.com
-  app.powerbi.com

FF:  ^app(.mil.|.high.|.)powerbigov.us$
-   app.powerbigov.us,
-  app.mil.powerbigov.us,
-  app.high.powerbigov.us

Edog: .+\.analysis-df.windows.net$

Onebox and CSTs: .+\.analysis.windows-int.net$

Fabric URLs: .+\.fabric.microsoft.com$

**Please look into the test cases in utils.spec.ts to see the valid and invalid embe urls**

Related work items: #1245653
Client-side APIs are not supported for rdl reports.

Ideally, we should refactor our code to have one validation for all APIs. This requires major changes in the SDK code. So, I added this missing validation per request from customer especially that this API name is not clear that it is Power BI report specifc and might be misleading for customers.

[Incident 474677846 : [PowerBI] CSS - Embedded (User Owns Data/Apps Owns Data): <Programmatic refresh of paginated report in embedded doesn't work>](https://portal.microsofticm.com/imp/v3/incidents/incident/474677846/summary)
removed global flag from valid embed hosts validation to resolve bug introduced with 2.23.0 release:

Issue reported [here](https://community.fabric.microsoft.com/t5/Developer/bd-p/Developer) and by @<Sergey Pustynsky> from datahub (attaching Sergey's description):

We started to get
"Invalid embed URL detected. Either URL hostname or protocol are invalid. Please use Power BI REST APIs to get the valid URL";
in Datahub embed scenario. We have 2 tabs, each one renders iframe with different configs. Once it rendered OK, 2nd time fails on error.

It caused by this code, which looks valid

The result of this check is inconsistent (once returns true, once false) over the same data. It's possibly related to RegEx statefullness.
Do we really need this global flag in RegEx definition?

Symptoms:

`When a RegExp object is created with the global (g) or sticky (y) flag, it maintains an internal lastIndex property. This property is used to determine where to start the next match attempt during subsequent calls to .test() or .exec() methods. After each match attempt, lastIndex is updated. This means if a match is found, the next call to .test() will start searching from the position after the last match, which can lead to the following outcomes:
If the next call does not find a match (because it starts searching from a non-zero lastIndex), .test() will return false.
If you call .test() again after it returns false, lastIndex is reset to 0, and the regex is evaluated from the beginning of the string, potentially returning true again if a match is found from the start.`

Related work items: #1362247
version bump 2.23.1, minor bug fix of embed url validation
@may-hartov may-hartov changed the title Merge remote-tracking branch 'powerbi/master' into release-2.23.1 Merge remote-tracking branch 'powerbi/master' into release-2.23.0 Apr 2, 2024
@may-hartov may-hartov changed the title Merge remote-tracking branch 'powerbi/master' into release-2.23.0 Merge remote-tracking branch 'powerbi/master' into release-1 Apr 2, 2024
@microsoft microsoft locked and limited conversation to collaborators Apr 16, 2024
@may-hartov may-hartov closed this Apr 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants