mirror/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-06-11 09:18:06 -04:00
Code Issues Packages Projects Releases Wiki Activity
6,134 Commits 159 Branches 104 Tags
patch
Commit Graph

2494 Commits

Author SHA1 Message Date
James George
e067ee0b32 fix(common): preserve collection tree on OpenAPI re-import (#6376) 2026-05-28 16:23:13 +05:30
Charlie Freeman
029aa9246c feat: add Mongolian translation (#6344) 
Co-authored-by: cf3901646 <cf3901646@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-28 16:20:17 +05:30
Mir Arif Hasan
feaf990af6 fix: class validation issue for updateRESTUserRequest (#6373) 
* fix: class validation issue for updateRESTUserRequest

* test: modified user-req unit test cases
 2026-05-27 13:33:46 +06:00
James George
7e39764260 chore: bump version to 2026.5.0 2026-05-26 12:16:42 +05:30
Shreyas
e51e54183e fix(desktop): align appload types and resolve shell import alias (#6369) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 12:14:39 +05:30
Gavin McDonough
3836d70e71 feat(common): add OpenAPI 3.1 collection export (#5880) 
Co-authored-by: gavin mcdonough <mcdgavin@users.noreply.github.com>
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 00:47:44 +05:30
Shreyas
5456b47c52 feat(desktop): zoom level control in settings (#6358) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 00:37:49 +05:30
Mir Arif Hasan
c85687a8c7 feat: make proxy URL configurable from env and admin dashboard (#6336) 
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-26 00:17:52 +05:30
Anwarul Islam
4405dbf6c3 fix(common): wait for proxy settings before issuing requests (#6333) 2026-05-25 23:44:50 +05:30
Nivedin
44f58d13c8 fix: stop secret variable values from leaking to backend (#6279) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-22 18:26:46 +05:30
Mir Arif Hasan
daeb352efd chore: security patch for the dependency chain v2026.5.0 (#6338) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-05-22 17:16:11 +05:30
James George
3480a90181 chore: merge hoppscotch/main into hoppscotch/next 2026-05-14 13:53:34 +05:30
James George
e3853bb764 chore(cli): bump version to 0.31.2 2026-05-14 13:26:20 +05:30
James George
b4f9e7f726 chore: merge hoppscotch/main into hoppscotch/patch 2026-05-14 12:11:08 +05:30
James George
c77de598ef chore(cli): bump version to 0.31.1 2026-05-13 23:19:06 +05:30
James George
0884346f14 chore: bump version to 2026.4.1 2026-05-13 23:18:24 +05:30
Shreyas
e04ef445c4 feat(desktop): settings phase 3a - keyboard layout strategy (#6289) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-05-12 13:33:34 +05:30
James George
d1fc70d724 fix: preserve script imports and avoid WebKit lookbehind (#6306) 2026-05-12 11:17:31 +05:30
Mir Arif Hasan
13245cd048 fix: class validator decorator usages (#6293) 
* fix: class validator decorator usages

* fix: feedback
 2026-05-11 22:16:12 +06:00
Nahid Hasan
a05a16efa0 fix(security): prevent mass assignment in onboarding (#6171) 
* fix(backend): prevent mass assignment in onboarding config endpoint

The unauthenticated POST /v1/onboarding/config endpoint mapped the
request body directly to InfraConfigEnum keys, allowing an attacker on
a fresh install to inject sensitive values such as JWT_SECRET and
SESSION_SECRET, enabling forged admin JWTs and full takeover.

Four independent weaknesses combined to make this exploit possible.
This commit addresses each in layers so the fix holds even if any
single layer regresses:

- main.ts: enable `whitelist: true` on the global ValidationPipe so
  properties not declared on any DTO are stripped before reaching any
  controller / service. This is the primary mitigation described in
  the advisory.

- onboarding.controller.ts: scope an additional ValidationPipe
  (`whitelist` + `forbidNonWhitelisted`) on the onboarding POST body
  so requests containing unknown fields are explicitly rejected with
  400 instead of silently dropped.

- infra-config.service.ts (updateOnboardingConfig): introduce an
  `ONBOARDING_ALLOWED_KEYS` allowlist so any `InfraConfigEnum` key
  not part of the documented onboarding surface (OAuth, SMTP) is
  dropped server-side before being persisted, even if earlier layers
  regress.

- infra-config.service.ts (validateEnvValues): explicitly reject
  `JWT_SECRET`, `SESSION_SECRET` and `ALLOW_SECURE_COOKIES` so these
  keys can never be written through any infra-config code path,
  replacing the prior `default: break` behaviour that silently
  accepted them.

Fixes GHSA-j542-4rch-8hwf

* fix(backend): harden onboarding config validation and add sensitive infra-config tests

* chore: cleanup

* chore: class validator implemented in dto layer

* fix: arguments

* fix: api feedback

---------

Co-authored-by: “mirarifhasan” <arif.ishan05@gmail.com>
 2026-05-07 17:46:20 +06:00
James George
cbb32d1aac fix(cli): ship semver as a runtime dependency (#6257) 2026-05-01 15:17:13 +05:30
James George
7036ab5b53 fix(common): preserve string contract for GQL history responses (#6244) 2026-04-29 17:11:33 +05:30
Nivedin
aee017ced3 fix(common): subfolder add-new in team collections respects write access (#6243) 2026-04-29 14:15:49 +05:30
Nivedin
50f16e2ab5 fix(common): set domain url as mockserver environment (#6185) 2026-04-29 12:14:02 +05:30
Mir Arif Hasan
c4e1f02abf fix(backend): harden onboarding config endpoint (#6240) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-29 00:10:03 +05:30
James George
f344d4e395 chore(common): add token_refresh auth event and harden no-sync flag 2026-04-28 18:58:51 +05:30
James George
3073d156b4 chore(agent): bump version to v0.1.17 2026-04-28 18:18:29 +05:30
Mir Arif Hasan
078d71036b chore: security patch for the dependency chain v2026.4.0 (#6191) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-28 17:51:43 +05:30
Shreyas
96ceb84df9 fix(desktop): unified store scope and migration reroute (#6238) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-28 14:59:10 +05:30
James George
df97d11753 fix(common): restore magic-link sign-in flow on cloud for orgs (#6237) 2026-04-28 14:02:50 +05:30
James George
bb1c9a9fe9 chore: formatting updates 2026-04-28 00:50:16 +05:30
James George
50fd27564e chore: bump CLI version 2026-04-28 00:49:21 +05:30
James George
67782b2b30 chore: bump version to 2026.4.0 2026-04-28 00:48:24 +05:30
Rodrigo Kellermann
40ac84c115 feat(selfhost-web): make webapp-server timeouts configurable (#6147) 
Signed-off-by: Rodrigo Kellermann <kellermann@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-28 00:45:41 +05:30
Shreyas
9861ee84ad feat(desktop): settings phase 0 - infra and update check (#6172) 
Co-authored-by: VicenzoMF <81040684+VicenzoMF@users.noreply.github.com>
 2026-04-28 00:36:06 +05:30
Anwarul Islam
15d12f8ce5 fix(common): support id_token in Authorization Code OAuth flow (#6144) 2026-04-28 00:34:02 +05:30
John An
696ddc336c feat: add collection-level pre-request and test scripts (#5745) 
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: “mirarifhasan” <arif.ishan05@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-27 23:48:52 +05:30
Nivedin
0cdf8de02d fix(common): apply platform default proxy URL on load and reset (#6142) 2026-04-23 18:25:26 +05:30
Shreyas
84f774265b fix: remediate quinn-proto vulnerability across native packages (#6174) 
Co-authored-by: orbisai0security <242526317+orbisai0security@users.noreply.github.com>
 2026-04-22 23:55:27 +05:30
Nivedin
30df20ea7a feat(common): improve API documentation publishing UX (#6116) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-22 23:05:40 +05:30
sahilkhan09k
bc3dbdea42 fix: improve environment validation in published docs (#5962) 2026-04-22 21:55:10 +06:00
Mir Arif Hasan
eb801889ba feat: add SMTP OAuth2 authentication support (#6141) 
Co-authored-by: nivedin <nivedinp@gmail.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-22 17:11:03 +05:30
Aaron Fort Garcia
7be31a2986 fix(common): variable hover tooltip was not clickable (disappeared) (#6155) 2026-04-21 19:15:18 +05:30
Rishu ray
a0740399b1 fix(common): add missing aria-labels to icon-only sidenav links (#6160) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-20 18:30:54 +05:30
Denny Jiang
3d19cf5c79 chore(common): modify Chinese translation of words (#5996) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-17 21:00:11 +05:30
Serhat
a21ca7ed5a chore(common): complete missing Turkish translations (#6071) 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-04-17 19:45:03 +05:30
Franco Ortiz
21448c526d chore(common): complete missing Spanish translations (#6109) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-17 19:32:02 +05:30
BUNGHUNTER2026ILOVEYOUECHO
d25f1f738e fix(data): make $randomUUID predefined variable RFC 4122 compliant (#6125) 
Co-authored-by: hconsulting987654321-blip <hconsulting987654321-blip@users.noreply.github.com>
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-17 14:08:02 +05:30
Pallav Sarkar
87e20ed2d6 fix(common): correct environment locale wording (#6117) 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
 2026-04-16 16:52:54 +05:30
James George
91590405e8 chore(common): remove unused flow import 2026-04-15 20:18:53 +05:30