Skip to content

Comments

release: v1.2.2#8645

Open
sriramveeraghanta wants to merge 8 commits intomasterfrom
release/v1.2.2
Open

release: v1.2.2#8645
sriramveeraghanta wants to merge 8 commits intomasterfrom
release/v1.2.2

Conversation

@sriramveeraghanta
Copy link
Member

@sriramveeraghanta sriramveeraghanta commented Feb 20, 2026
edited by pushya22
Loading

Security patch

  • Fixed arbitrary modification of API token rate limits by enforcing server-side validation and authorization checks.
  • Mitigated SSRF vulnerability in work item link handling through strict URL validation and outbound request controls.
  • Fixed member information disclosure via publicly accessible endpoint by applying proper access control checks.
  • Resolved IDOR vulnerabilities in asset and attachment endpoints to prevent unauthorized resource access.
  • Upgraded Django to 4.2.28
  • Upgraded the cryptography to 46.0.5

@sriramveeraghanta
fix: IDOR Vulnerabilities in Asset & Attachment Endpoints (#8644)
1548288 
* fix: idor issues in project assets and issue attachements

* fix: comments
@sriramveeraghanta
chore: pacakge version
ec44b63
Copilot AI review requested due to automatic review settings February 20, 2026 12:40
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 20, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch release/v1.2.2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Release bump to v1.2.2 across the monorepo, with a small API hardening to scope FileAsset operations to the workspace/project/issue from the request path.

Changes:

  • Bump package/app versions from 1.2.1 to 1.2.2.
  • Scope issue attachment deletion to workspace__slug, project_id, and issue_id (returning 404 when not found).
  • Scope project asset upload finalization (PATCH) to workspace__slug and project_id.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
packages/utils/package.json Version bump to 1.2.2
packages/ui/package.json Version bump to 1.2.2
packages/typescript-config/package.json Version bump to 1.2.2
packages/types/package.json Version bump to 1.2.2
packages/tailwind-config/package.json Version bump to 1.2.2
packages/shared-state/package.json Version bump to 1.2.2
packages/services/package.json Version bump to 1.2.2
packages/propel/package.json Version bump to 1.2.2
packages/logger/package.json Version bump to 1.2.2
packages/i18n/package.json Version bump to 1.2.2
packages/hooks/package.json Version bump to 1.2.2
packages/editor/package.json Version bump to 1.2.2
packages/constants/package.json Version bump to 1.2.2
packages/codemods/package.json Version bump to 1.2.2
package.json Root version bump to 1.2.2
apps/web/package.json App version bump to 1.2.2
apps/space/package.json App version bump to 1.2.2
apps/live/package.json App version bump to 1.2.2
apps/api/package.json App version bump to 1.2.2
apps/admin/package.json App version bump to 1.2.2
apps/api/plane/app/views/issue/attachment.py Restrict attachment deletion query by workspace/project/issue; 404 when not found
apps/api/plane/app/views/asset/v2.py Restrict asset patch query by workspace/project

dependabot bot and others added 6 commits February 20, 2026 18:27
@dependabot @sriramveeraghanta
chore(deps): bump cryptography (#8625)
6c984e1 
Bumps the pip group with 1 update in the /apps/api/requirements directory: [cryptography](https://github.com/pyca/cryptography).


Updates `cryptography` from 44.0.1 to 46.0.5
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@44.0.1...46.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@sangeethailango @sriramveeraghanta
[SECUR-104] fix: Arbitrary Modification of API Token Rate Limits#8612
318c993
@sriramveeraghanta
chore(deps): upgrade django version
95d121c
@sangeethailango @sriramveeraghanta
[SECUR-113] fix: ssrf for work item links (#8607)
b783f25
@sriramveeraghanta
Update apps/api/plane/app/views/issue/attachment.py
a77af4e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@sriramveeraghanta
fix: Member Information Disclosure via Public Endpoint #8646
8c23fdd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sriramveeraghanta @sangeethailango