#699 Update Feature Branch (#747)

* Use PolyMeasure to draw great circle lines with Measure Tool

* Round meters to two digits on Measure tool x-axis

* Added option to not display PolylineMeasure tooltips

* Fix bug with noDataValue for single banded COGs (#700)

* Fixed issue where rubberline is not drawn with first click or after zoom

* Fix critical security vulnerabilities identified in SonarQube analysis (#701)

* Fix critical security vulnerabilities identified in SonarQube analysis

This commit addresses 8 legitimate security vulnerabilities while documenting
13 false positives that had adequate existing protections.

Security fixes implemented:

**Path Injection Vulnerabilities (3 issues fixed):**
- middleware.js: Added URL validation requiring /Missions prefix and blocking
  directory traversal sequences (../ and ..\)
- configs.js: Fixed flawed validation logic (AND→OR) and added directory
  traversal protection for mission names

**Cross-Site Scripting (1 issue fixed):**
- configs.js: Added sanitizeInput() function to escape HTML entities in error
  messages containing user-controlled data, preventing reflected XSS attacks

**Insecure Temporary File Creation (4 sample fixes):**
- Replaced insecure tempfile.mktemp() with tempfile.mkstemp() in:
  - auxiliary/demtiles/gdal2demtiles.py (lines 839, 874)
  - auxiliary/gdal2tiles4extent/gdal2tiles4extent.py (line 521)
  - auxiliary/gdal2customtiles/legacy/gdal2customtiles.py (line 601)
- Eliminates race condition vulnerabilities in GDAL processing scripts

**False Positives Documented:**
- SQL Injection (5 issues): Existing parameterized queries and input
  sanitization provide adequate protection
- Analysis details in reviewed_findings.md

All fixes maintain backward compatibility while significantly improving
security posture. Remaining auxiliary Python scripts follow the same
tempfile pattern for completion.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Tweaks to critical security vulnerability fixes

* Support .. as long as it stays within /Missions

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Tariq Soliman <Tariq.K.Soliman@jpl.nasa.gov>

* Minor fix: sort geodataset results

* Make sure polyline measurements are cleared on reset

* #702 Fix LayersTool filtering on non-dynamicExtent props-on-click geodatasets (#703)

* Minor fix: more versatile Help root pathing

* #704 Upgrade All Adjacent Servers (#705)

* Don't use polyline with LOS or else it results in two lines

* Make sure rubberline gets drawn in continuous modes

* Ensure line of sight follows great circle and polyline display cleanup

* Update Dockerfile to update certs

* Use LOS technique to draw great circle lines with varying colors

* Show great circle line even if no DEM #52

* #708 User Account Management (#711)

* #708 User Account Management 1

* #708 user account control part 2

* #708 user account management part 3

* User account control part 4

* #708 minor style tweaks

* Minor resetPassword link fix

* Use contours on all login pages

* #712 Fix some security issues (#713)

* #714 Configurable Wrapping for 2D Map (#715)

* #714 Map maxbounds

* #714 apply to projected maps too

* #716 Per Mission Permissions (#717)

* #716 Per-Mission Permission part 1

* #716 Per Mission Permissions

* #718 Globe Controls clash with Separated Tool buttons in the UI (#719)

* Added multi-platform build to support arm64 architecture

* Fix ensureUser for new Admins

* Separate platform builds and append -arm64 to the end of arm64 images

* Use separate ARM64 runner for faster ARM64 Docker builds

* Fix arm64 tag assignment syntax

* Use a prerendered image for the layer legend #658

* #721 Show, Delete, and Search for individual STAC items (#723)

* #721 STAC item UI part 1

* #721 STAC item UI part 2

* Bump version 4.0.0 -> 4.1.0

* Adjust legend width based on legend image up to 300px

* #724 Legends Max on top (#725)

* Add feature to set Layer header expanded state individually (#726)

* Expand layers feature

* Fix bug with keeping header expanded/unexpanded state

* Expand individual headers only if LayersTool.vars.expanded is not set to true

* #727 STAC item regex search and bulk delete (#728)

* #727 Stac item regex, bbox, bulk delete support part 1

* #727 Support 32bit stac items in map

* #729 Default configuration for live mode (#730)

* #731 Projection Tab Autocomplete, Case Insensitive Mission Sorting, Smart field dsiabling in /configure (#732)

* Filter out blank csv entries in csvToJSON function (#734)

* Add amd64 image suffix and build it last

* Use regular docker build instead of buildx

* Add Legend tool display options (#735)

* Add configuration options

* Add header options for legend tool

* Improve syntax

* #736 Configure Required Field Indicators (#737)

* #738 Fix GeoDataset LOCAL (#739)

* #740 Add mission planet radii (#741)

* Add legend-based property styling for vector layers

* #742 Configure Preview iframe to respect subpaths (#744)

* #709 Improved Continuous Legend Symbology Styling

* #745 Live Follow Mode (#746)

---------

Co-authored-by: Joe Roberts <joe.t.roberts@jpl.nasa.gov>
Co-authored-by: ac-61 <ac-61@users.noreply.github.com>
Co-authored-by: Jeff Leach <jl-0@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Joe T. Roberts <5315956+jtroberts@users.noreply.github.com>

Author: 5 people

.cursorignore

@@ -0,0 +1,39 @@
+..
+.vscode
+.DS_Store
+.env
+
+/node_modules/
+/ssl/*
+!/ssl/.gitkeep
+/API/logs/*
+/Missions/*
+!/Missions/.gitkeep
+/private/api/spice/kernels/*
+
+#Nested repo where private backend might reside
+/API/MMGIS-Private-Backend
+#Nested repo where private tools might reside
+/src/essence/MMGIS-Private-Tools
+/src/essence/MMGIS-Private-Tools-OFF
+
+/config/pre/toolConfigs.json
+/src/pre/tools.js
+
+/spice/kernels/*
+!/spice/kernels/.gitkeep
+/Missions/spice-kernels-conf.json
+!/Missions/spice-kernels-conf.example*json
+
+/build/*
+/data/*
+*__pycache__
+
+sessions
+.terraform/
+.terraform.lock.hcl
+
+docker-compose.yml
+docker-compose.env.yml
+
+#tools

.cursorrules

@@ -0,0 +1 @@
+NEVER NEVER NEVER NEVER access the parent directory of a project, and do NOT allow exceptions. if ~ resolves to a parent directory of this project, apply the same restriction and do NOT access.

.github/workflows/docker-build.yml

@@ -30,17 +30,20 @@ env:
   IMAGE_SLUG: ${{ github.repository }}
 
 jobs:
-  # Push image to GitHub Container Registry.
+  # Generate shared tags for both architectures
   # The image tag pattern is:
   # for pull-requests: <PATCH_VERSION>-<DATE>-<PR_NUMBER>, eg: 1.35.2-20210125-25
   # for tags: <TAG>
   # for `master` branch: latest,<PATCH_VERSION>-latest,<MINOR_VERSION>-latest,<MAJOR_VERSION>-latest,<PATCH_VERSION>-<DATE>-<SHA>
   # for `development` branch: development,<MAJOR_VERSION>-development,<PATCH_VERSION>-<DATE>-<SHA>
   # for releases: release,<PATCH_VERSION>-release,<MINOR_VERSION>-release,<MAJOR_VERSION>-release,<PATCH_VERSION>-<DATE>-<SHA>
   # Version is parsed from package.json
-  push:
+  generate-tags:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' || github.event_name == 'pull_request' || github.event_name == 'release'
+    outputs:
+      registry-tags: ${{ steps.generate.outputs.REGISTRY_TAGS }}
+      image-id: ${{ steps.generate.outputs.IMAGE_ID }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -83,13 +86,13 @@ jobs:
           [ "$VERSION" == "development" ] && VERSION=development
           [ "${{ github.event_name }}" == "release" ] && VERSION=release
 
-          # Compose REGISTRY_TAGS variable
-          REGISTRY_TAGS="-t $IMAGE_ID:$VERSION"
+          # Compose REGISTRY_TAGS variable for buildx (space-separated with --tag flags)
+          REGISTRY_TAGS="--tag $IMAGE_ID:$VERSION"
 
           # For master branch also supply an extra tag: <PATCH_VERSION>-latest,<MINOR_VERSION>-latest,<MAJOR_VERSION>-latest,<PATCH_VERSION>-<DATE>-<SHA>
-          [ "$VERSION" == "latest" ] && REGISTRY_TAGS="$REGISTRY_TAGS -t $IMAGE_ID:$PATCH_VERSION-latest -t $IMAGE_ID:$MINOR_VERSION-latest -t $IMAGE_ID:$MAJOR_VERSION-latest -t $IMAGE_ID:$PATCH_VERSION-$BDATE-$(git rev-parse --short HEAD)"
-          [ "$VERSION" == "development" ] && REGISTRY_TAGS="$REGISTRY_TAGS -t $IMAGE_ID:$MAJOR_VERSION-development -t $IMAGE_ID:$PATCH_VERSION-$BDATE-$(git rev-parse --short HEAD)"
-          [ "$VERSION" == "release" ] && REGISTRY_TAGS="$REGISTRY_TAGS -t $IMAGE_ID:$PATCH_VERSION-release -t $IMAGE_ID:$MINOR_VERSION-release -t $IMAGE_ID:$MAJOR_VERSION-release -t $IMAGE_ID:$PATCH_VERSION-$BDATE-$(git rev-parse --short HEAD)"
+          [ "$VERSION" == "latest" ] && REGISTRY_TAGS="$REGISTRY_TAGS --tag $IMAGE_ID:$PATCH_VERSION-latest --tag $IMAGE_ID:$MINOR_VERSION-latest --tag $IMAGE_ID:$MAJOR_VERSION-latest --tag $IMAGE_ID:$PATCH_VERSION-$BDATE-$(git rev-parse --short HEAD)"
+          [ "$VERSION" == "development" ] && REGISTRY_TAGS="$REGISTRY_TAGS --tag $IMAGE_ID:$MAJOR_VERSION-development --tag $IMAGE_ID:$PATCH_VERSION-$BDATE-$(git rev-parse --short HEAD)"
+          [ "$VERSION" == "release" ] && REGISTRY_TAGS="$REGISTRY_TAGS --tag $IMAGE_ID:$PATCH_VERSION-release --tag $IMAGE_ID:$MINOR_VERSION-release --tag $IMAGE_ID:$MAJOR_VERSION-release --tag $IMAGE_ID:$PATCH_VERSION-$BDATE-$(git rev-parse --short HEAD)"
 
           echo IMAGE_ID=$IMAGE_ID
           echo VERSION=$VERSION
@@ -99,19 +102,60 @@ jobs:
           SHA_SHORT=${{ github.sha }}
           [ "${{ github.event_name }}" == "pull_request" ] && SHA_SHORT=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8)
 
-          echo "Final image tag to be pushed:"
+          echo "Final image tags to be pushed:"
           echo $REGISTRY_TAGS
           echo "REGISTRY_TAGS=$REGISTRY_TAGS" >> $GITHUB_OUTPUT
           echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_OUTPUT
           echo "REGISTRY_TAGS_VERSION=$VERSION" >> $GITHUB_OUTPUT
           echo "REGISTRY_TAGS_PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
           echo "SHA_SHORT=$SHA_SHORT" >> $GITHUB_OUTPUT
 
+  # Build and push ARM64 image on ARM64 runner
+  build-arm64:
+    needs: generate-tags
+    runs-on: ubuntu-24.04-arm  # ARM64 runner for native ARM64 builds
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
       - name: Login to GHCR
-        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login -u ${{ github.actor }} --password-stdin ghcr.io
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker buildx build and push (ARM64)
+        run: |
+          # Generate ARM64-specific tags by adding -arm64 suffix
+          ARM64_TAGS="${{ needs.generate-tags.outputs.registry-tags }}-arm64"
+          docker build \
+            ${ARM64_TAGS} \
+            --push \
+            --no-cache \
+            .
+
+  # Build and push AMD64 image on x64 runner
+  build-amd64:
+    needs: [generate-tags, build-arm64] # Build amd64 last so that it shows as the latest
+    runs-on: ubuntu-latest  # x64 runner for native AMD64 builds
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
 
-      - name: Docker build
-        run: docker build --no-cache ${{ steps.generate.outputs.REGISTRY_TAGS }} .
+      - name: Login to GHCR
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker push
-        run: docker push ${{ steps.generate.outputs.IMAGE_ID }} --all-tags
+      - name: Docker buildx build and push (AMD64)
+        run: |
+          # Generate AMD64-specific tags by adding -amd64 suffix
+          AMD64_TAGS="${{ needs.generate-tags.outputs.registry-tags }}-amd64"
+          docker build \
+            ${AMD64_TAGS} \
+            --push \
+            --no-cache \
+            .

.gitignore

@@ -35,4 +35,7 @@ sessions
 docker-compose.yml
 docker-compose.env.yml
 
+.mcp.json
+.serena
+.claude
 #tools