inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2026-05-09 03:03:41 +00:00
Code Activity

Backport (#11686)

Browse Source 
* Ensure the MeUserSerializer correctly marks fields as read-only

* fix behaviour

* Add note to plugin docs.

* Adjust logic for PluginListTable

* Add superuser scope to PluginInstall API endpoint

* Update unit test for API endpoint

* Explicitly set PLUGINS_INSTALL_DISABLED if PLUGINS_ENABLED = False

* Check for superuser permission in installer.py

* Additional user checks

* Sanitize package name to protect against OS command injection

* fix(security): use SandboxedEnvironment for PART_NAME_FORMAT rendering

- Switch jinja2.Environment to jinja2.sandbox.SandboxedEnvironment in
  part/helpers.py to prevent SSTI via template tags in PART_NAME_FORMAT.
- Set pk=1 on the dummy Part instance in the validator to ensure
  conditional expressions like {% if part.pk %} are properly evaluated
  during validation, closing the sandbox bypass vector.

Fixes GHSA-84jh-x777-8pqq

* Disable some unit tests for backport

* Fix SSRF in remote image download

Add IP address validation to prevent Server-Side Request Forgery
when downloading images from remote URLs. The resolved IP is now
checked against private, loopback, link-local, and reserved ranges
before connecting.

Redirects are followed manually (up to 5 hops) with SSRF validation
at each step, preventing redirect-based bypass of URL format checks.

* Style fixes

* fix styles

* fix test

* Reintroduce unit tests

---------

Co-authored-by: Paul <morimori-dev@github.com>
Co-authored-by: tikket1 <chrisveres1@gmail.com>
Co-authored-by: Matthias Mair <code@mjmair.com>
This commit is contained in:
Oliver
2026-04-08 07:09:28 +10:00
committed by GitHub
parent 6bb6bcca2e
commit 01bf600004
14 changed files with 231 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/frontend/tests/pui_printing.spec.ts
+3 -1
View File
@@ -1,4 +1,5 @@
import { expect, test } from './baseFixtures.js';
import { adminuser } from './defaults.js';
import { activateTableView, loadTab } from './helpers.js';
import { doCachedLogin } from './login.js';
import { setPluginState } from './settings.js';
@@ -6,7 +7,8 @@ import { setPluginState } from './settings.js';
// Test for the label editing interface
test('Printing - Label Editing', async ({ browser }) => {
const page = await doCachedLogin(browser, {
user: adminuser,
username: adminuser.username,
password: adminuser.password,
url: 'settings/admin/labels'
});