release: v1.2.2

apps/admin/package.json

@@ -1,7 +1,7 @@
 {
   "name": "admin",
   "description": "Admin UI for Plane",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "license": "AGPL-3.0",
   "private": true,
   "type": "module",

apps/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plane-api",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "license": "AGPL-3.0",
   "private": true,
   "description": "API server powering Plane's backend"

apps/api/plane/app/serializers/api.py

@@ -15,6 +15,9 @@ class Meta:
             "updated_at",
             "workspace",
             "user",
+            "is_active",
+            "last_used",
+            "user_type",
         ]
 
 

apps/api/plane/app/views/asset/v2.py

@@ -603,7 +603,7 @@ def post(self, request, slug, project_id):
     @allow_permission([ROLE.ADMIN, ROLE.MEMBER, ROLE.GUEST])
     def patch(self, request, slug, project_id, pk):
         # get the asset id
-        asset = FileAsset.objects.get(id=pk)
+        asset = FileAsset.objects.get(id=pk, workspace__slug=slug, project_id=project_id)
         # get the storage metadata
         asset.is_uploaded = True
         # get the storage metadata

apps/api/plane/app/views/issue/attachment.py

@@ -56,7 +56,14 @@ def post(self, request, slug, project_id, issue_id):
 
     @allow_permission([ROLE.ADMIN], creator=True, model=FileAsset)
     def delete(self, request, slug, project_id, issue_id, pk):
-        issue_attachment = FileAsset.objects.get(pk=pk)
+        issue_attachment = FileAsset.objects.filter(
+            pk=pk, workspace__slug=slug, project_id=project_id, issue_id=issue_id
+        ).first()
+        if not issue_attachment:
+            return Response(
+                {"error": "Issue attachment not found."},
+                status=status.HTTP_404_NOT_FOUND,
+            )
         issue_attachment.asset.delete(save=False)
         issue_attachment.delete()
         issue_activity.delay(

apps/api/plane/bgtasks/work_item_link_task.py

@@ -1,6 +1,10 @@
+# Copyright (c) 2023-present Plane Software, Inc. and contributors
+# SPDX-License-Identifier: AGPL-3.0-only
+# See the LICENSE file for details.
+
 # Python imports
 import logging
-
+import socket
 
 # Third party imports
 from celery import shared_task
@@ -20,6 +24,48 @@
 DEFAULT_FAVICON = "PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9ImN1cnJlbnRDb2xvciIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiIGNsYXNzPSJsdWNpZGUgbHVjaWRlLWxpbmstaWNvbiBsdWNpZGUtbGluayI+PHBhdGggZD0iTTEwIDEzYTUgNSAwIDAgMCA3LjU0LjU0bDMtM2E1IDUgMCAwIDAtNy4wNy03LjA3bC0xLjcyIDEuNzEiLz48cGF0aCBkPSJNMTQgMTFhNSA1IDAgMCAwLTcuNTQtLjU0bC0zIDNhNSA1IDAgMCAwIDcuMDcgNy4wN2wxLjcxLTEuNzEiLz48L3N2Zz4="  # noqa: E501
 
 
+def validate_url_ip(url: str) -> None:
+    """
+    Validate that a URL doesn't point to a private/internal IP address.
+    Resolves hostnames to IPs before checking.
+
+    Args:
+        url: The URL to validate
+
+    Raises:
+        ValueError: If the URL points to a private/internal IP
+    """
+    parsed = urlparse(url)
+    hostname = parsed.hostname
+
+    if not hostname:
+        raise ValueError("Invalid URL: No hostname found")
+
+    # Only allow HTTP and HTTPS to prevent file://, gopher://, etc.
+    if parsed.scheme not in ("http", "https"):
+        raise ValueError("Invalid URL scheme. Only HTTP and HTTPS are allowed")
+
+    # Resolve hostname to IP addresses — this catches domain names that
+    # point to internal IPs (e.g. attacker.com -> 169.254.169.254)
+
+    try:
+        addr_info = socket.getaddrinfo(hostname, None)
+    except socket.gaierror:
+        raise ValueError("Hostname could not be resolved")
+
+    if not addr_info:
+        raise ValueError("No IP addresses found for the hostname")
+
+    # Check every resolved IP against blocked ranges to prevent SSRF
+    for addr in addr_info:
+        ip = ipaddress.ip_address(addr[4][0])
+        if ip.is_private or ip.is_loopback or ip.is_reserved or ip.is_link_local:
+            raise ValueError("Access to private/internal networks is not allowed")
+
+
+MAX_REDIRECTS = 5
+
+
 def crawl_work_item_link_title_and_favicon(url: str) -> Dict[str, Any]:
     """
     Crawls a URL to extract the title and favicon.
@@ -31,27 +77,35 @@ def crawl_work_item_link_title_and_favicon(url: str) -> Dict[str, Any]:
         str: JSON string containing title and base64-encoded favicon
     """
     try:
-        # Prevent access to private IP ranges
-        parsed = urlparse(url)
-
-        try:
-            ip = ipaddress.ip_address(parsed.hostname)
-            if ip.is_private or ip.is_loopback or ip.is_reserved:
-                raise ValueError("Access to private/internal networks is not allowed")
-        except ValueError:
-            # Not an IP address, continue with domain validation
-            pass
-
         # Set up headers to mimic a real browser
         headers = {
             "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"  # noqa: E501
         }
 
         soup = None
         title = None
+        final_url = url
+
+        validate_url_ip(final_url)
 
         try:
-            response = requests.get(url, headers=headers, timeout=1)
+            # Manually follow redirects to validate each URL before requesting
+            redirect_count = 0
+            response = requests.get(final_url, headers=headers, timeout=1, allow_redirects=False)
+
+            while response.is_redirect and redirect_count < MAX_REDIRECTS:
+                redirect_url = response.headers.get("Location")
+                if not redirect_url:
+                    break
+                # Resolve relative redirects against current URL
+                final_url = urljoin(final_url, redirect_url)
+                # Validate the redirect target BEFORE making the request
+                validate_url_ip(final_url)
+                redirect_count += 1
+                response = requests.get(final_url, headers=headers, timeout=1, allow_redirects=False)
+
+            if redirect_count >= MAX_REDIRECTS:
+                logger.warning(f"Too many redirects for URL: {url}")
 
             soup = BeautifulSoup(response.content, "html.parser")
             title_tag = soup.find("title")
@@ -60,8 +114,8 @@ def crawl_work_item_link_title_and_favicon(url: str) -> Dict[str, Any]:
         except requests.RequestException as e:
             logger.warning(f"Failed to fetch HTML for title: {str(e)}")
 
-        # Fetch and encode favicon
-        favicon_base64 = fetch_and_encode_favicon(headers, soup, url)
+        # Fetch and encode favicon using final URL (after redirects)
+        favicon_base64 = fetch_and_encode_favicon(headers, soup, final_url)
 
         # Prepare result
         result = {
@@ -107,15 +161,19 @@ def find_favicon_url(soup: Optional[BeautifulSoup], base_url: str) -> Optional[s
         for selector in favicon_selectors:
             favicon_tag = soup.select_one(selector)
             if favicon_tag and favicon_tag.get("href"):
-                return urljoin(base_url, favicon_tag["href"])
+                favicon_href = urljoin(base_url, favicon_tag["href"])
+                validate_url_ip(favicon_href)
+                return favicon_href
 
     # Fallback to /favicon.ico
     parsed_url = urlparse(base_url)
     fallback_url = f"{parsed_url.scheme}://{parsed_url.netloc}/favicon.ico"
 
     # Check if fallback exists
     try:
-        response = requests.head(fallback_url, timeout=2)
+        validate_url_ip(fallback_url)
+        response = requests.head(fallback_url, timeout=2, allow_redirects=False)
+
         if response.status_code == 200:
             return fallback_url
     except requests.RequestException as e:
@@ -146,6 +204,8 @@ def fetch_and_encode_favicon(
                 "favicon_base64": f"data:image/svg+xml;base64,{DEFAULT_FAVICON}",
             }
 
+        validate_url_ip(favicon_url)
+
         response = requests.get(favicon_url, headers=headers, timeout=1)
 
         # Get content type

apps/api/plane/space/views/project.py

@@ -63,6 +63,11 @@ class ProjectMembersEndpoint(BaseAPIView):
 
     def get(self, request, anchor):
         deploy_board = DeployBoard.objects.filter(anchor=anchor).first()
+        if not deploy_board:
+            return Response(
+                {"error": "Invalid anchor"},
+                status=status.HTTP_404_NOT_FOUND,
+            )
 
         members = ProjectMember.objects.filter(
             project=deploy_board.project,
@@ -71,10 +76,7 @@ def get(self, request, anchor):
         ).values(
             "id",
             "member",
-            "member__first_name",
-            "member__last_name",
             "member__display_name",
-            "project",
-            "workspace",
+            "member__avatar",
         )
         return Response(members, status=status.HTTP_200_OK)

apps/api/plane/tests/contract/app/test_api_token.py

@@ -138,7 +138,7 @@ def test_get_specific_api_token(self, session_client, create_user, create_api_to
         """Test retrieving a specific API token"""
         # Arrange
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": create_api_token_for_user.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": create_api_token_for_user.pk})
 
         # Act
         response = session_client.get(url)
@@ -155,7 +155,7 @@ def test_get_nonexistent_api_token(self, session_client, create_user):
         # Arrange
         session_client.force_authenticate(user=create_user)
         fake_pk = uuid4()
-        url = reverse("api-tokens", kwargs={"pk": fake_pk})
+        url = reverse("api-tokens-details", kwargs={"pk": fake_pk})
 
         # Act
         response = session_client.get(url)
@@ -174,7 +174,7 @@ def test_get_other_users_api_token(self, session_client, create_user, db):
         other_user = User.objects.create(email=unique_email, username=unique_username)
         other_token = APIToken.objects.create(label="Other Token", user=other_user, user_type=0)
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": other_token.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": other_token.pk})
 
         # Act
         response = session_client.get(url)
@@ -188,7 +188,7 @@ def test_delete_api_token_success(self, session_client, create_user, create_api_
         """Test successful API token deletion"""
         # Arrange
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": create_api_token_for_user.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": create_api_token_for_user.pk})
 
         # Act
         response = session_client.delete(url)
@@ -203,7 +203,7 @@ def test_delete_nonexistent_api_token(self, session_client, create_user):
         # Arrange
         session_client.force_authenticate(user=create_user)
         fake_pk = uuid4()
-        url = reverse("api-tokens", kwargs={"pk": fake_pk})
+        url = reverse("api-tokens-details", kwargs={"pk": fake_pk})
 
         # Act
         response = session_client.delete(url)
@@ -222,7 +222,7 @@ def test_delete_other_users_api_token(self, session_client, create_user, db):
         other_user = User.objects.create(email=unique_email, username=unique_username)
         other_token = APIToken.objects.create(label="Other Token", user=other_user, user_type=0)
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": other_token.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": other_token.pk})
 
         # Act
         response = session_client.delete(url)
@@ -238,7 +238,7 @@ def test_delete_service_api_token_forbidden(self, session_client, create_user):
         # Arrange
         service_token = APIToken.objects.create(label="Service Token", user=create_user, user_type=0, is_service=True)
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": service_token.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": service_token.pk})
 
         # Act
         response = session_client.delete(url)
@@ -254,7 +254,7 @@ def test_patch_api_token_success(self, session_client, create_user, create_api_t
         """Test successful API token update"""
         # Arrange
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": create_api_token_for_user.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": create_api_token_for_user.pk})
         update_data = {
             "label": "Updated Token Label",
             "description": "Updated description",
@@ -278,7 +278,7 @@ def test_patch_api_token_partial_update(self, session_client, create_user, creat
         """Test partial API token update"""
         # Arrange
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": create_api_token_for_user.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": create_api_token_for_user.pk})
         original_description = create_api_token_for_user.description
         update_data = {"label": "Only Label Updated"}
 
@@ -296,7 +296,7 @@ def test_patch_nonexistent_api_token(self, session_client, create_user):
         # Arrange
         session_client.force_authenticate(user=create_user)
         fake_pk = uuid4()
-        url = reverse("api-tokens", kwargs={"pk": fake_pk})
+        url = reverse("api-tokens-details", kwargs={"pk": fake_pk})
         update_data = {"label": "New Label"}
 
         # Act
@@ -316,7 +316,7 @@ def test_patch_other_users_api_token(self, session_client, create_user, db):
         other_user = User.objects.create(email=unique_email, username=unique_username)
         other_token = APIToken.objects.create(label="Other Token", user=other_user, user_type=0)
         session_client.force_authenticate(user=create_user)
-        url = reverse("api-tokens", kwargs={"pk": other_token.pk})
+        url = reverse("api-tokens-details", kwargs={"pk": other_token.pk})
         update_data = {"label": "Hacked Label"}
 
         # Act
@@ -329,6 +329,56 @@ def test_patch_other_users_api_token(self, session_client, create_user, db):
         other_token.refresh_from_db()
         assert other_token.label == "Other Token"
 
+    @pytest.mark.django_db
+    def test_patch_cannot_modify_token(self, session_client, create_user, create_api_token_for_user):
+        """Test that token value cannot be modified via PATCH"""
+        # Arrange
+        session_client.force_authenticate(user=create_user)
+        url = reverse("api-tokens-details", kwargs={"pk": create_api_token_for_user.pk})
+        original_token = create_api_token_for_user.token
+        update_data = {"token": "plane_api_malicious_token_value"}
+
+        # Act
+        response = session_client.patch(url, update_data, format="json")
+
+        # Assert
+        assert response.status_code == status.HTTP_200_OK
+        create_api_token_for_user.refresh_from_db()
+        assert create_api_token_for_user.token == original_token
+
+    @pytest.mark.django_db
+    def test_patch_cannot_modify_user_type(self, session_client, create_user, create_api_token_for_user):
+        """Test that user_type cannot be modified via PATCH"""
+        # Arrange
+        session_client.force_authenticate(user=create_user)
+        url = reverse("api-tokens-details", kwargs={"pk": create_api_token_for_user.pk})
+        update_data = {"user_type": 1}
+
+        # Act
+        response = session_client.patch(url, update_data, format="json")
+
+        # Assert
+        assert response.status_code == status.HTTP_200_OK
+        create_api_token_for_user.refresh_from_db()
+        assert create_api_token_for_user.user_type == 0
+
+    @pytest.mark.django_db
+    def test_patch_cannot_modify_service_token(self, session_client, create_user):
+        """Test that service tokens cannot be modified through user token endpoint"""
+        # Arrange
+        service_token = APIToken.objects.create(label="Service Token", user=create_user, user_type=0, is_service=True)
+        session_client.force_authenticate(user=create_user)
+        url = reverse("api-tokens-details", kwargs={"pk": service_token.pk})
+        update_data = {"label": "Hacked Service Token"}
+
+        # Act
+        response = session_client.patch(url, update_data, format="json")
+
+        # Assert
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+        service_token.refresh_from_db()
+        assert service_token.label == "Service Token"
+
     # Authentication tests
     @pytest.mark.django_db
     def test_all_endpoints_require_authentication(self, api_client):
@@ -337,9 +387,9 @@ def test_all_endpoints_require_authentication(self, api_client):
         endpoints = [
             (reverse("api-tokens"), "get"),
             (reverse("api-tokens"), "post"),
-            (reverse("api-tokens", kwargs={"pk": uuid4()}), "get"),
-            (reverse("api-tokens", kwargs={"pk": uuid4()}), "patch"),
-            (reverse("api-tokens", kwargs={"pk": uuid4()}), "delete"),
+            (reverse("api-tokens-details", kwargs={"pk": uuid4()}), "get"),
+            (reverse("api-tokens-details", kwargs={"pk": uuid4()}), "patch"),
+            (reverse("api-tokens-details", kwargs={"pk": uuid4()}), "delete"),
         ]
 
         # Act & Assert