mirror of
https://github.com/makeplane/plane.git
synced 2026-07-09 20:10:06 +02:00
* fix: prevent ORM order_by injection via user-supplied query params (GHSA-2r95, GHSA-w45q) Add field-name allowlists and a sanitize_order_by() utility in order_queryset.py. All allowlists are centralised there; each call site imports the named constant so there are no inline sets scattered across view files. - order_queryset.py: ISSUE_ORDER_BY_ALLOWLIST, INTAKE_ISSUE_ORDER_BY_ALLOWLIST, ACTIVITY_ORDER_BY_ALLOWLIST, PROJECT_ORDER_BY_ALLOWLIST, VIEW_ORDER_BY_ALLOWLIST, NOTIFICATION_ORDER_BY_ALLOWLIST + sanitize_order_by() utility; validation added at the top of order_issue_queryset() — fixes all callers including the unauthenticated ProjectIssuesPublicEndpoint (GHSA-w45q) - api/views/cycle.py, api/views/module.py: cycle/module issue list endpoints - api/views/issue.py: IssueActivity list and detail endpoints - app/views/intake/base.py: IntakeIssue list - app/views/view/base.py: saved-view list - app/views/notification/base.py: notification paginator - app/views/project/base.py: project list paginator - app/views/user/base.py, app/views/workspace/user.py: activity paginators Closes WEB-7813 Co-authored-by: Plane AI <noreply@plane.so> * fix: harden sanitize_order_by against multi-dash malformed inputs lstrip("-") stripped all leading dashes, allowing "--created_at" to pass the allowlist check unchanged and reach .order_by() as a malformed token (causing FieldError). Now strips only one leading dash; any remaining dash prefix is rejected to the safe default. Co-authored-by: Plane AI <noreply@plane.so> --------- Co-authored-by: Plane AI <noreply@plane.so>