OpenC3 · ryan-pratt · Jan 9, 2025 · Jan 3, 2025 · Jan 6, 2025 · Jan 8, 2025
diff --git a/openc3-cosmos-cmd-tlm-api/app/controllers/auth_controller.rb b/openc3-cosmos-cmd-tlm-api/app/controllers/auth_controller.rb
@@ -33,7 +33,7 @@ def token_exists
 
   def verify
     begin
-      if OpenC3::AuthModel.verify(params[:token])
+      if OpenC3::AuthModel.verify_no_service(params[:token])
         render :plain => OpenC3::AuthModel.generate_session()
       else
         head :unauthorized

diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/package.json
@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "@astrouxds/astro-web-components": "7.24.1",
+    "@braintree/sanitize-url": "7.1.1",
     "@openc3/js-common": "6.0.2-beta0",
     "@openc3/vue-common": "6.0.2-beta0",
     "axios": "1.7.9",

diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/src/tools/Iframe/Iframe.vue b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/src/tools/Iframe/Iframe.vue
@@ -45,6 +45,7 @@
 </template>
 
 <script>
+import { sanitizeUrl } from '@braintree/sanitize-url'
 import { TopBar } from '@openc3/vue-common/components'
 
 export default {
@@ -62,7 +63,7 @@ export default {
       this.title = this.$route.query.title
     }
     if (this.$route.query && this.$route.query.url) {
-      this.url = this.$route.query.url
+      this.url = sanitizeUrl(this.$route.query.url)
     }
   },
 }

diff --git a/openc3-cosmos-init/plugins/packages/openc3-vue-common/package.json b/openc3-cosmos-init/plugins/packages/openc3-vue-common/package.json
@@ -65,6 +65,7 @@
   },
   "dependencies": {
     "@astrouxds/astro-web-components": "7.24.1",
+    "@braintree/sanitize-url": "7.1.1",
     "@openc3/js-common": "6.0.2-beta0",
     "@rails/actioncable": "7.1.3-4",
     "axios": "1.7.9",

diff --git a/openc3-cosmos-init/plugins/packages/openc3-vue-common/src/widgets/IframeWidget.vue b/openc3-cosmos-init/plugins/packages/openc3-vue-common/src/widgets/IframeWidget.vue
@@ -23,14 +23,15 @@
 <template>
   <iframe
     title="IFrameWidget"
-    :src="parameters[0]"
+    :src="url"
     :width="width"
     :height="height"
     :style="computedStyle"
   />
 </template>
 
 <script>
+import { sanitizeUrl } from '@braintree/sanitize-url'
 import Widget from './Widget'
 
 export default {
@@ -39,6 +40,7 @@ export default {
     return {
       width: 800,
       height: 600,
+      url: sanitizeUrl(this.parameters[0]),
     }
   },
   created: function () {

diff --git a/openc3-cosmos-script-runner-api/Dockerfile b/openc3-cosmos-script-runner-api/Dockerfile
@@ -21,6 +21,7 @@ RUN bundle config set --local without 'development' \
 RUN ["chown", "-R", "openc3:openc3", "/src/"]
 COPY  --chown=${IMAGE_USER}:${IMAGE_GROUP} ./ ./
 RUN ["chmod", "-R", "777", "/src/"]
+RUN ["chmod", "-R", "555", "/src/scripts"]
 
 EXPOSE 2902
 

diff --git a/openc3-cosmos-script-runner-api/README.md b/openc3-cosmos-script-runner-api/README.md
@@ -1,24 +1,6 @@
-# README
+# Setting up the Script Runner API
 
-This README would normally document whatever steps are necessary to get the
-application up and running.
+## Changing the service password
 
-Things you may want to cover:
-
-* Ruby version
-
-* System dependencies
-
-* Configuration
-
-* Database creation
-
-* Database initialization
-
-* How to run the test suite
-
-* Services (job queues, cache servers, search engines, etc.)
-
-* Deployment instructions
-
-* ...
+Scripts use a service password to authenticate with the rest of the COSMOS system in the open source edition.
+You should pick a new service password by setting the value of the `OPENC3_SERVICE_PASSWORD` variable in the [.env file](../.env)
diff --git a/openc3/lib/openc3/models/auth_model.rb b/openc3/lib/openc3/models/auth_model.rb
@@ -43,6 +43,15 @@ def self.set?(key = PRIMARY_KEY)
     end
 
     def self.verify(token)
+      # Handle a service password - Generally only used by ScriptRunner
+      # TODO: Replace this with temporary service tokens
+      service_password = ENV['OPENC3_SERVICE_PASSWORD']
+      return true if service_password and service_password == token
+
+      return verify_no_service(token)
+    end
+
+    def self.verify_no_service(token)
       return false if token.nil? or token.empty?
 
       time = Time.now
@@ -60,11 +69,6 @@ def self.verify(token)
       @@token_cache_time = time
       return true if @@token_cache == token_hash
 
-      # Handle a service password - Generally only used by ScriptRunner
-      # TODO: Replace this with temporary service tokens
-      service_password = ENV['OPENC3_SERVICE_PASSWORD']
-      return true if service_password and service_password == token
-
       return false
     end
 

diff --git a/playwright/tests/script-runner/file-menu.spec.ts b/playwright/tests/script-runner/file-menu.spec.ts
@@ -90,7 +90,7 @@ test('open a file', async ({ page, utils }) => {
   page
     .locator('.v-list-item-title:has-text("INST/procedures/disconnect.rb")')
     .click()
-  expect(await page.locator('#sr-controls')).toContainText(
+  await expect(page.locator('#sr-controls')).toContainText(
     `INST/procedures/disconnect.rb`,
   )
 })