CalvinBackup/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2026-02-12 14:42:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/staging' into develop

Browse Source
This commit is contained in:
Andrey Antukh
2026-02-10 11:58:09 +01:00
parent e3dfa69011 59711a1cf8
commit f08700945a
4 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES.md
View File

@@ -35,6 +35,13 @@
- Fix viewer can update library [Taiga #13186](https://tree.taiga.io/project/penpot/issue/13186) - Fix viewer can update library [Taiga #13186](https://tree.taiga.io/project/penpot/issue/13186)
- Fix remove fill affects different element than selected [Taiga #13128](https://tree.taiga.io/project/penpot/issue/13128) - Fix remove fill affects different element than selected [Taiga #13128](https://tree.taiga.io/project/penpot/issue/13128)
## 2.13.2
### :bug: Bugs fixed
- Fix security issue (Path Traversal Vulnerability) on fonts related RPC method
## 2.13.1 ## 2.13.1
### :bug: Bugs fixed ### :bug: Bugs fixed

3
backend/src/app/rpc/commands/fonts.clj
View File

@@ -89,7 +89,8 @@
(def ^:private schema:create-font-variant (def ^:private schema:create-font-variant
[:map {:title "create-font-variant"} [:map {:title "create-font-variant"}
[:team-id ::sm/uuid] [:team-id ::sm/uuid]
[:data [:map-of ::sm/text ::sm/any]] [:data [:map-of ::sm/text [:or ::sm/bytes
[::sm/vec ::sm/bytes]]]]
[:font-id ::sm/uuid] [:font-id ::sm/uuid]
[:font-family ::sm/text] [:font-family ::sm/text]
[:font-weight [::sm/one-of {:format "number"} valid-weight]] [:font-weight [::sm/one-of {:format "number"} valid-weight]]

27
backend/test/backend_tests/rpc_font_test.clj
View File

@@ -274,3 +274,30 @@
(let [res (th/run-task! :storage-gc-touched {})] (let [res (th/run-task! :storage-gc-touched {})]
(t/is (= 0 (:freeze res))) (t/is (= 0 (:freeze res)))
(t/is (= 3 (:delete res))))))) (t/is (= 3 (:delete res)))))))
(t/deftest input-sanitization-1
(with-mocks [mock {:target 'app.rpc.quotes/check! :return nil}]
(let [prof (th/create-profile* 1 {:is-active true})
team-id (:default-team-id prof)
proj-id (:default-project-id prof)
font-id (uuid/custom 10 1)
ttfdata (-> (io/resource "backend_tests/test_files/font-1.ttf")
(io/read*))
params {::th/type :create-font-variant
::rpc/profile-id (:id prof)
:team-id team-id
:font-id font-id
:font-family "somefont"
:font-weight 400
:font-style "normal"
:data {"font/ttf" "/etc/passwd"}}
out (th/command! params)]
(t/is (= 0 (:call-count @mock)))
;; (th/print-result! out)
(let [error (:error out)
error-data (ex-data error)]
(t/is (th/ex-info? error))))))

9
common/src/app/common/schema.cljc
View File

@@ -1068,6 +1068,15 @@
{:title "agent" {:title "agent"
:description "instance of clojure agent"}})) :description "instance of clojure agent"}}))
#?(:clj
(register!
{:type ::bytes
:pred bytes?
:type-properties
{:title "bytes"
:description "bytes array"}}))
(register! ::any (mu/update-properties :any assoc :gen/gen sg/any)) (register! ::any (mu/update-properties :any assoc :gen/gen sg/any))
;; ---- PREDICATES ;; ---- PREDICATES