security cleanup

Dockerfile

-FROM igwn/base:bookworm
+FROM debian:bookworm
 LABEL name="LIGO GraceDB Django application" \
       maintainer="alexander.pace@ligo.org" \
       date="20240306"
@@ -6,10 +6,13 @@ ARG SETTINGS_MODULE="config.settings.container.dev"
 
 COPY docker/SWITCHaai-swdistrib.gpg /etc/apt/trusted.gpg.d
 COPY docker/backports.pref /etc/apt/preferences.d
-RUN apt-get -y install gnupg
+RUN apt-get update && \
+    apt-get -y install gnupg curl
+
+
 RUN echo 'deb http://deb.debian.org/debian bookworm-backports main' > /etc/apt/sources.list.d/backports.list
 RUN echo 'deb http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main' > /etc/apt/sources.list.d/pgdg.list
-RUN wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+RUN curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
 RUN apt-get update && \
     apt-get --assume-yes upgrade && \
     apt-get install --install-recommends --assume-yes \
@@ -32,10 +35,6 @@ RUN apt-get update && \
         libfreetype6-dev \
         libxslt-dev \
         libsqlite3-dev \
-        ligo-ca-certs \
-        nodejs \
-        npm \
-        osg-ca-certs \
         php \
         php8.2-pgsql \
         php8.2-mbstring \
@@ -54,14 +53,23 @@ RUN apt-get update && \
         vim && \
     apt-get clean && \
     curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
-    apt-get update && apt-get install --assume-yes yarn && \
-    npm install -g bower
+    apt-get update && apt-get install --assume-yes yarn
 
 # Install AWS X-ray daemon
-RUN wget https://s3.us-east-2.amazonaws.com/aws-xray-assets.us-east-2/xray-daemon/aws-xray-daemon-3.x.deb
+RUN curl -O https://s3.us-east-2.amazonaws.com/aws-xray-assets.us-east-2/xray-daemon/aws-xray-daemon-3.x.deb
 RUN dpkg -i aws-xray-daemon-3.x.deb
 RUN rm aws-xray-daemon-3.x.deb
 
+# Install osg-ca-certs:
+RUN curl -O https://hypatia.aei.mpg.de/lsc-amd64-bookworm/osg-ca-certs_1.132NEW-1+deb12u0_all.deb
+RUN dpkg -i osg-ca-certs_1.132NEW-1+deb12u0_all.deb
+RUN rm osg-ca-certs_1.132NEW-1+deb12u0_all.deb
+
+# Install ligo-ca-certs:
+RUN curl -O https://hypatia.aei.mpg.de/lsc-amd64-bookworm/ligo-ca-certs_1.0.2-0+deb12u0_all.deb
+RUN dpkg -i ligo-ca-certs_1.0.2-0+deb12u0_all.deb
+RUN rm ligo-ca-certs_1.0.2-0+deb12u0_all.deb
+
 # Docker scripts:
 COPY docker/entrypoint /usr/local/bin/entrypoint
 COPY docker/cleanup /usr/local/bin/cleanup
@@ -99,7 +107,6 @@ ADD . /app/gracedb_project
 
 # install gracedb application itself
 WORKDIR /app/gracedb_project
-RUN bower install --allow-root
 RUN pip3 install --upgrade pip --break-system-packages
 RUN pip3 install -r requirements.txt --break-system-packages
 
@@ -174,6 +181,10 @@ ENV XDG_CACHE_HOME /app/scitokens_cache
 # patch voeventparse for python3.10+:
 RUN sed -i 's/collections.Iterable/collections.abc.Iterable/g' /usr/local/lib/python3.11/dist-packages/voeventparse/voevent.py
 
+# Remove packages that expose security vulnerabilities and close out.
+# Edit: zlib1g* can't be removed because of a PrePend error
+RUN apt-get --assume-yes --purge autoremove wget libaom3 node-ip
+RUN apt-get clean
 
 ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
 CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

bower.json

 {
   "name": "gracedb",
   "dependencies": {
-    "dgrid": "0.4.0",
     "dijit": "1.10.4",
-    "dojox": "1.10.4",
-    "jquery": "3.2.1",
-    "jquery-ui": "1.12.1",
-    "moment-timezone": "0.5.0",
-    "moment": "2.11.1",
-    "tablesaw": "3.1.2",
-    "materialize": "1.0.0",
-    "bootstrap": "4.1.0",
-    "datatables.net": "^1.10.22",
-    "datatables.net-bs4": "^3.2.2",
-    "ekko-lightbox": "^5.3.0",
-    "trumbowyg": "2.21.0"
-  },
-  "resolutions": {
-    "webcomponentsjs": "^0.6.0"
+    "dojox": "1.10.4"
   }
 }

gracedb/events/templatetags/mediaviews.py

@@ -258,7 +258,7 @@ def filter_logs(log_list, tag_name=None, autoescape=None):
 def tag_selecter(autoescape=None):
     rv = """"""
     rv += """<select class="form-control" multiple="multiple"
-                      name="{form_name}">"""
+                      name="{form_name}" id="tagSelect">"""
     for tag in Tag.objects.filter(name__in=blessed_tag_priority_order):
         rv += """<option value="{tag_name}">{disp} ({tag_name})</option>""".format(tag_name=tag.name,
                                                                       disp=tag.displayName)

gracedb/templates/gracedb/event_detail.html

@@ -11,11 +11,6 @@
 {% block jscript %}
 {% load static %}
 <link rel="stylesheet" href="{% static "css/labeltips.css" %}" />
-<script src="{% static "dojo/dojo.js" %}" data-dojo-config="async: true"></script>
-
-<script>
-  {% include "gracedb/event_detail_script.js" %}
-</script> 
 
 <script type="text/javascript" class="init">
   $(document).ready(function () {
@@ -264,41 +259,69 @@
     {% endif %}
 
     {# Neighbors #}
-    <script type="text/javascript">
-      var refresh_neighbors= function() { alert("NOT SET YET"); };
-require(["dojo/dom", "dojo/html", "dojo/request", "dojo/domReady!"],
-  function (dom, html, request) {
-    refresh_neighbors = function(delta) {
-      delta = delta.replace(/[ [\]]/g, "");
-      if (delta.match(/^-?\d+$/) == null & delta.match(/^[-+]?\d+,[-+]?\d+$/) == null) {
-        alert("Bad neighborhood specified.")
-        return;
-      }
-      var neighborUrlPattern = "{% url "neighbors" object.graceid "000" %}"
-      var neighbor_div = dom.byId("gdb-table-neighbors");
-      neighborUrl = neighborUrlPattern.replace("000", delta);
-      request(neighborUrl).then(
-        function(text){
-          html.set(neighbor_div, text, {parseContent:true} );
-        },
-        function(error){
-          inbox = '<input value="" size="6" onchange="refresh_neighbors(this.value)">'
-          html.set(neighbor_div, inbox+"<br>Failed to find neighbors.<br>"+error);
-        });
-    };
-    // refresh_neighbors("5");
-  });
-require(["dijit/InlineEditBox", "dijit/form/NumberSpinner", "dijit/form/TextBox"]);
-    </script>
 
-    <!-- temporary (HA!) fix to prevent nested rendering when 
-         changing the neighbors range -->
+<script>
+document.addEventListener('DOMContentLoaded', (event) => {
+    document.getElementById('changeBtn').addEventListener('click', function(event) {
+        event.preventDefault();
+        let delta = document.getElementById('rangeBox').value;
+        if (delta.match(/^-?\d+$/) == null & delta.match(/^[-+]?\d+,[-+]?\d+$/) == null) {
+          alert("Bad neighborhood specified.")
+          return;
+        }
+
+        var neighborUrlPattern = "{% url "neighbors" object.graceid "000" %}"
+        var neighbor_div = document.getElementById("gdb-table-neighbors");
+        neighborUrl = neighborUrlPattern.replace("000", delta);
+
+        // Create a new XMLHttpRequest object
+        let xhr = new XMLHttpRequest();
+        
+        // Configure it: GET-request for the URL
+        xhr.open('GET', neighborUrl, true);
+
+        // Define what happens on successful data submission
+        xhr.onload = function() {
+            if (xhr.status >= 200 && xhr.status < 300) {
+                //alert('Data submitted successfully: ' + xhr.responseText);
+                document.getElementById('gdb-table-neighbors').innerHTML = xhr.responseText;
+            } else {
+                alert('Failed to submit data: ' + xhr.statusText);
+            }
+        };
+
+        // Define what happens in case of error
+        xhr.onerror = function() {
+            alert('Request failed');
+        };
+
+        // Send the request
+        xhr.send();
+    });
+});
+</script>
+
     <h2> Neighbors </h2>
     <hr style="width:250px; text-align:left; margin-left:0;">
 
     <div class="row my-3 justify-content-center">
       <div class="col-md-10">
+<form class="form-inline">
+  Neighbor Window:
+  <div class="form-group mx-sm-3 mb-2">
+              <input class="form-control form-control-sm"
+                     type="text"
+                     id="rangeBox" name="rangeBox"
+                     value="-5,+5">
+  </div>
+<button type="submit"
+        class="btn btn-secondary btn-sm mb-2"
+        id="changeBtn">Change Range</button>
+</form>
+<br>
+        <div id="gdb-table-neighbors">
         {% include "gracedb/neighbors_frag.html" %}
+        </div>
 
       </div>
     </div>

gracedb/templates/gracedb/neighbors_frag.html

 {% load timeutil %}
 {% load scientific %}
 
-<div id="gdb-table-neighbors">
-
-
   <table class="table-hover table-condensed table-resp-gracedb shadow p-3 mb-5 rounded"
          id="event-neighbors">
-    <thead>
-      <tr>
-        <th colspan="12"> Neighbor Window: &nbsp;
-          <span data-dojo-type="dijit/InlineEditBox" class="neighborsTextBox"
-                                                     data-dojo-props="editor:'dijit/form/TextBox', editorParams:{constraints:{places:0} }" width="100px" 
-                                                                                                                                           title="window"
-                                                                                                                                           onchange="refresh_neighbors(this.value)">{{neighbor_delta}}</span>
-
-        </th>
-      </tr>
-      <tr>
+     <thead>
         <th>UID</th>
         <!-- <th>Labels</th> -->
         <th>Group</th>
@@ -33,7 +20,6 @@
           <th>
             {{ "nsubmitted"|timeselect:"utc" }}
           </th>
-      </tr>
     </thead>
     {% if nearby %}
     {% for delta, object in nearby %}
@@ -92,14 +78,12 @@
           &nbsp; &nbsp; &nbsp; &nbsp;
           {% endif %}
         </td>
-        <!-- <td data-title="Links"><a href="{{ object.weburl }}">Data</a></td> -->
         <td data-title="Submitted">{{ object.created|multiTime:"nsubmitted" }}</td>
     </tr>
     {% endfor %}
     {% else %}
-    <tr><td>
-        No neighbors in range.
-      </td></tr>
+    <tr>
+      <td colspan=8>  No neighbors in range. </td>
+      </tr>
       {% endif %}
   </table>
-</div>

requirements.txt

@@ -3,21 +3,21 @@ adrf==0.1.2
 aws-xray-sdk==2.12.1
 concurrent-log-handler==0.9.20
 confluent-kafka==2.3.0
-cryptography==42.0.5
-Django==4.2.16
+cryptography==44.0.0
+Django==4.2.17
 django-computedfields==0.2.5
 django-debug-toolbar==4.3.0
 django-extensions==3.2.3
 django-guardian==2.4.0
 django-model-utils==4.3.1
 django-postgres-vacuum==2020.12.24
-django-ses==3.2.2
+django-ses==4.3.1
 django-silk==4.2.0
 django-twilio==0.14.3.2
 django-user-sessions==2.0.0
-djangorestframework==3.14.0
+djangorestframework==3.15.2
 djangorestframework-guardian==0.3.0
-dnspython==2.6.0
+dnspython==2.7.0
 flake8==3.9.2
 gevent==23.9.1
 gpstime==0.8.1
@@ -48,7 +48,7 @@ pymemcache==4.0.0
 #pyopenssl==23.0.0
 scipy==1.11.1
 scitokens==1.7.4
-sentry-sdk==1.40.1
+sentry-sdk==2.19.2
 service_identity==23.1.0
 simplejson==3.19.1
 six==1.16.0