Open
Conversation
…8863) Bumps the npm_and_yarn group with 1 update in the / directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…GHSA-93x3-ghh7-72j3) (#8864) * fix: prevent ORM field injection via segment parameter in analytics (GHSA-93x3-ghh7-72j3) Centralize analytics field allowlists into VALID_ANALYTICS_FIELDS and VALID_YAXIS constants in analytics_plot.py. Add defense-in-depth validation in build_graph_plot() and extract_axis() so no caller can pass arbitrary field references to Django F() expressions. Add missing segment validation to SavedAnalyticEndpoint. Also fixes ExportAnalytics using "estimate_point" instead of "estimate_point__value". * fix: address PR review - remove unused imports and validate stored query params Remove unused VALID_ANALYTICS_FIELDS and VALID_YAXIS imports from analytic_plot_export.py. Add x_axis/y_axis allowlist validation in SavedAnalyticEndpoint for stored query_dict values to prevent 500 errors from malformed saved analytics.
#8744) When patching instance configuration values, the raw values from request.data were used directly without sanitization. This adds: - Whitespace stripping via str().strip() to prevent leading/trailing spaces from being stored - Explicit None handling so that null values become empty strings instead of the literal string "None"
* fix: update border for project timezone * feat: added scrollbar in keyboard shortcuts modal * fix: remove unnecessary changes * fix: remove redundant overflow
Intercom is no longer used. This removes all related frontend components, hooks, custom events, API config, types, and i18n keys.
* chore: update dependencies (Django, cryptography, axios, lodash) - Django 4.2.29 → 4.2.30 - cryptography 46.0.6 → 46.0.7 - axios 1.13.5 → 1.15.0 - lodash 4.17.23 → 4.18.0 * chore: update lodash from 4.18.0 to 4.18.1
Bumps the pip group with 1 update in the /apps/api/requirements directory: [pytest](https://github.com/pytest-dev/pytest). Updates `pytest` from 9.0.2 to 9.0.3 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@9.0.2...9.0.3) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.3 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
WorkspaceFileAssetEndpoint had no authorization checks beyond authentication, allowing any logged-in user to create, read, patch, and delete assets in any workspace by slug. DuplicateAssetEndpoint only authorized the destination workspace, letting users copy assets from workspaces they don't belong to. Add @allow_permission decorators to all WorkspaceFileAssetEndpoint methods and scope DuplicateAssetEndpoint's source asset lookup to workspaces where the caller is an active member. Ref: GHSA-qw87-v5w3-6vxx
* fix: replace IS_SELF_MANAGED toggle with explicit WEBHOOK_ALLOWED_IPS allowlist Instead of blanket-allowing all private IPs on self-managed deployments, webhook URL validation now blocks all private/internal IPs by default and only permits specific networks listed in the WEBHOOK_ALLOWED_IPS env variable (comma-separated IPs/CIDRs). * fix: address PR review comments for webhook SSRF protection - Sanitize error messages to avoid leaking internal details to clients - Guard against TypeError with mixed IPv4/IPv6 allowlist networks - Re-validate webhook URL at send time to prevent DNS-rebinding - Add unit tests for mixed-version IP network allowlists
* add context for project in relations API * modify issue relation serializer
) * fix: sanitize filenames in upload paths to prevent path traversal (GHSA-v57h-5999-w7xp) Add server-side filename sanitization across all file upload endpoints to prevent path traversal sequences (../) in user-supplied filenames from being incorporated into S3 object keys. While S3 keys are flat strings and not vulnerable to filesystem traversal, this adds defense-in-depth and prevents S3 key pollution. Changes: - Add sanitize_filename() utility in path_validator.py - Sanitize filenames in get_upload_path() for FileAsset and IssueAttachment models - Sanitize name parameter in all upload view endpoints * fix: address PR review feedback on filename sanitization - Remove unused `import re` - Normalize backslashes to forward slashes before os.path.basename() so Windows-style paths (e.g. ..\..\..\evil.txt) are handled on POSIX - Strip whitespace before removing leading dots so " .env" is caught - Return None instead of "unnamed" for empty input so existing `if not name` validation guards remain effective - Add `or "unnamed"` fallback at call sites that lack a name guard * fix: use random hex name as fallback in get_upload_path instead of "unnamed" * fix: resolve ruff E501 line too long in DuplicateAssetEndpoint
* chore(ci): suppress CodeQL file coverage deprecation warning Explicitly opt into the new default behavior where CodeQL skips computing file coverage information on pull requests for improved analysis performance. * Update .github/workflows/codeql.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Release v1.3.1 updates dependencies, removes Intercom/chat-support UI/configuration, and tightens backend security around uploads/webhooks and analytics parameter validation.
Changes:
- Bump key dependencies (axios, vite, lodash, Django, cryptography, pytest) and regenerate pnpm lockfile.
- Remove Intercom/chat support feature surface (types, admin config UI, web sidebar/power-k entries, i18n strings).
- Add/expand backend hardening: filename sanitization for asset keys, webhook SSRF protection with optional allowlist, and stricter analytics axis validation.
Reviewed changes
Copilot reviewed 63 out of 64 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-workspace.yaml | Bumps workspace catalog versions for axios and vite. |
| pnpm-lock.yaml | Updates lockfile for bumped dependencies (axios/vite/lodash and transitive deps). |
| package.json | Updates lodash override to 4.18.1. |
| packages/types/src/instance/base.ts | Removes Intercom-related instance config fields/types. |
| packages/i18n/src/locales/en/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/de/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/es/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/fr/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/id/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/it/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/ja/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/ko/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/pl/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/pt-BR/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/ro/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/ru/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/sk/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/tr-TR/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/ua/translations.ts | Removes chat/support-related translation keys (incl. “chat_with_us”). |
| packages/i18n/src/locales/vi-VN/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/zh-CN/translations.ts | Removes chat/support-related translation keys. |
| packages/i18n/src/locales/zh-TW/translations.ts | Removes chat/support-related translation keys. |
| apps/web/core/hooks/use-chat-support.ts | Deletes chat support hook (Intercom trigger). |
| apps/web/core/custom-events/chat-support.ts | Deletes chat support custom event definitions. |
| apps/web/core/components/workspace/sidebar/help-section/root.tsx | Removes “message support” menu item and icon import. |
| apps/web/core/components/power-k/config/help-commands.ts | Removes “chat with us” Power-K command. |
| apps/web/core/components/project/form.tsx | Tweaks timezone dropdown button styling. |
| apps/web/core/components/power-k/ui/renderer/shortcut.tsx | Removes internal overflow scrolling (delegated to ScrollArea). |
| apps/web/core/components/power-k/ui/modal/shortcuts-root.tsx | Wraps shortcuts list with ScrollArea and adjusts layout/padding. |
| apps/web/core/components/onboarding/root.tsx | Skips role/use-case onboarding steps for self-managed instances. |
| apps/web/core/components/onboarding/header.tsx | Adjusts back-navigation + progress steps for self-managed mode. |
| apps/admin/app/(all)/(dashboard)/general/intercom.tsx | Removes Intercom configuration UI from admin. |
| apps/admin/app/(all)/(dashboard)/general/form.tsx | Removes Intercom section and related config update behavior. |
| apps/api/templates/emails/user/user_deactivation.html | Updates Twitter link to x.com. |
| apps/api/templates/emails/user/user_activation.html | Updates Twitter link to x.com. |
| apps/api/templates/emails/user/email_updated.html | Updates Twitter link to x.com. |
| apps/api/templates/emails/notifications/webhook-deactivate.html | Updates Twitter link to x.com in body + footer icon link. |
| apps/api/templates/emails/notifications/issue-updates.html | Updates Twitter link to x.com in footer icons. |
| apps/api/templates/emails/invitations/project_invitation.html | Updates Twitter link to x.com in footer icon. |
| apps/api/requirements/base.txt | Bumps Django and cryptography patch versions. |
| apps/api/requirements/test.txt | Bumps pytest patch version. |
| apps/api/plane/utils/path_validator.py | Adds sanitize_filename helper for path traversal mitigation. |
| apps/api/plane/utils/ip_address.py | Adds validate_url SSRF guard (DNS resolution + allowlist support). |
| apps/api/plane/settings/common.py | Adds WEBHOOK_ALLOWED_IPS parsing from env for SSRF allowlisting. |
| apps/api/plane/bgtasks/webhook_task.py | Re-validates webhook URL at send time (DNS rebinding mitigation). |
| apps/api/plane/app/serializers/webhook.py | Refactors webhook URL SSRF/domain validation using validate_url. |
| apps/api/plane/utils/instance_config_variables/core.py | Removes Intercom config variables from instance config set. |
| apps/api/plane/license/api/views/instance.py | Removes Intercom fields from instance config response. |
| apps/api/plane/utils/analytics_plot.py | Centralizes allowed analytics fields and validates x/y/segment values. |
| apps/api/plane/app/views/analytic/base.py | Reuses centralized analytics validation constants. |
| apps/api/plane/tests/unit/bg_tasks/test_work_item_link_task.py | Adds unit tests for SSRF allowlist behavior. |
| apps/api/plane/space/views/asset.py | Sanitizes asset “name” when generating storage keys. |
| apps/api/plane/app/views/issue/attachment.py | Sanitizes attachment “name” when generating storage keys. |
| apps/api/plane/api/views/asset.py | Sanitizes asset “name” for presigned upload endpoints. |
| apps/api/plane/db/models/issue.py | Sanitizes upload filenames for issue uploads. |
| apps/api/plane/db/models/asset.py | Sanitizes upload filenames for generic assets. |
| apps/api/plane/app/views/asset/v2.py | Sanitizes asset names; adds workspace-level permission decorators; scopes duplication source asset by workspace membership. |
| apps/api/plane/api/views/issue.py | Sanitizes attachment names; changes work-item relations response to include project_id + issue_id pairs. |
| apps/api/plane/api/serializers/issue.py | Updates relations response serializer to {project_id, issue_id} objects. |
| apps/api/plane/license/api/views/configuration.py | Normalizes config PATCH values (string coercion + strip). |
| apps/api/plane/app/views/issue/sub_issue.py | Refactors sub-issue annotations; ensures counts default to 0 and IDs aggregated via subqueries. |
| README.md | Updates Twitter link label/URL to X. |
| .github/workflows/codeql.yml | Disables CodeQL file coverage on PRs via env var. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
| # Django imports | ||
| from django.utils import timezone | ||
| from django.db.models import OuterRef, Func, F, Q, Value, UUIDField, Subquery | ||
| from django.db.models import OuterRef, Func, F, Q, Value, UUIDField, Subquery, Count, IntegerField |
There was a problem hiding this comment.
Func is imported from django.db.models but no longer used in this module. Since apps/api is Ruff-linted with F401 enabled, this unused import will fail CI; please remove Func from the import list.
Suggested change
| from django.db.models import OuterRef, Func, F, Q, Value, UUIDField, Subquery, Count, IntegerField | |
| from django.db.models import OuterRef, F, Q, Value, UUIDField, Subquery, Count, IntegerField |
Comment on lines
+41
to
+48
| for addr in addr_info: | ||
| ip = ipaddress.ip_address(addr[4][0]) | ||
| if ip.is_private or ip.is_loopback or ip.is_reserved or ip.is_link_local: | ||
| if allowed_ips and any( | ||
| network.version == ip.version and ip in network for network in allowed_ips | ||
| ): | ||
| continue | ||
| raise ValueError("Access to private/internal networks is not allowed") |
There was a problem hiding this comment.
validate_url blocks private/loopback/reserved/link-local addresses, but it still permits other non-public targets like multicast (224.0.0.0/4), unspecified (0.0.0.0/::), and potentially other non-globally-routable ranges. For SSRF protection, consider also rejecting ip.is_multicast and ip.is_unspecified (and optionally ip.is_global == False) unless explicitly allowlisted via allowed_ips.
Comment on lines
2349
to
2358
| response_data = { | ||
| "blocking": relation_ids["blocking_ids"], | ||
| "blocked_by": relation_ids["blocked_by_ids"], | ||
| "duplicate": list(set(relation_ids["duplicate_ids"] + relation_ids["duplicate_ids_related"])), | ||
| "relates_to": list(set(relation_ids["relates_to_ids"] + relation_ids["relates_to_ids_related"])), | ||
| "start_after": relation_ids["start_after_ids"], | ||
| "start_before": relation_ids["start_before_ids"], | ||
| "finish_after": relation_ids["finish_after_ids"], | ||
| "finish_before": relation_ids["finish_before_ids"], | ||
| "blocking": [], | ||
| "blocked_by": [], | ||
| "duplicate": [], | ||
| "relates_to": [], | ||
| "start_after": [], | ||
| "start_before": [], | ||
| "finish_after": [], | ||
| "finish_before": [], | ||
| } |
There was a problem hiding this comment.
The list_work_item_relations response shape changes from arrays of issue UUIDs to arrays of {project_id, issue_id} objects. This is a breaking API change for any existing clients; if this endpoint is already public/stable, consider preserving backward compatibility (e.g., include both formats or introduce a new versioned field/endpoint) and updating the API docs/changelog accordingly.
* chore: update CODEOWNERS for apps and deployments Assign owners per app/area so reviews are routed to the right maintainers. * chore: update the codeowners
…8920) * chore: add Claude Code skills for PR descriptions and release notes * chore(skills): update release-notes branches to canary->master and example version to v1.3.0 * chore(skills): address PR review comments - pr-description: infer base branch from PR metadata, fix Improvement wording, reference template's screenshot placeholder verbatim - release-notes: add `text` language to unlabeled fenced code block
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.