Merge remote-tracking branch 'origin/staging' into develop

📎 Update changelog
🐛 Add proper input checking to font related RCP method
2026-02-10 06:34:43 -05:00 · 2026-02-10 11:58:09 +01:00 · 2026-02-10 11:57:01 +01:00 · 2026-02-10 10:36:57 +01:00 · 2026-02-09 19:21:30 +01:00 · 2026-02-09 18:00:43 +01:00
4 changed files with 45 additions and 1 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -35,6 +35,13 @@
 - Fix viewer can update library [Taiga #13186](https://tree.taiga.io/project/penpot/issue/13186)
 - Fix remove fill affects different element than selected [Taiga #13128](https://tree.taiga.io/project/penpot/issue/13128)

+## 2.13.2
+
+### :bug: Bugs fixed
+
+- Fix security issue (Path Traversal Vulnerability) on fonts related RPC method
+
+
 ## 2.13.1

 ### :bug: Bugs fixed
--- a/backend/src/app/rpc/commands/fonts.clj
+++ b/backend/src/app/rpc/commands/fonts.clj
@@ -89,7 +89,8 @@
 (def ^:private schema:create-font-variant
  [:map {:title "create-font-variant"}
   [:team-id ::sm/uuid]
-   [:data [:map-of ::sm/text ::sm/any]]
+   [:data [:map-of ::sm/text [:or ::sm/bytes
+                              [::sm/vec ::sm/bytes]]]]
   [:font-id ::sm/uuid]
   [:font-family ::sm/text]
   [:font-weight [::sm/one-of {:format "number"} valid-weight]]
--- a/backend/test/backend_tests/rpc_font_test.clj
+++ b/backend/test/backend_tests/rpc_font_test.clj
@@ -274,3 +274,30 @@
      (let [res (th/run-task! :storage-gc-touched {})]
        (t/is (= 0 (:freeze res)))
        (t/is (= 3 (:delete res)))))))
+
+(t/deftest input-sanitization-1
+  (with-mocks [mock {:target 'app.rpc.quotes/check! :return nil}]
+    (let [prof    (th/create-profile* 1 {:is-active true})
+          team-id (:default-team-id prof)
+          proj-id (:default-project-id prof)
+          font-id (uuid/custom 10 1)
+
+          ttfdata (-> (io/resource "backend_tests/test_files/font-1.ttf")
+                      (io/read*))
+
+          params  {::th/type :create-font-variant
+                   ::rpc/profile-id (:id prof)
+                   :team-id team-id
+                   :font-id font-id
+                   :font-family "somefont"
+                   :font-weight 400
+                   :font-style "normal"
+                   :data {"font/ttf" "/etc/passwd"}}
+          out     (th/command! params)]
+
+      (t/is (= 0 (:call-count @mock)))
+      ;; (th/print-result! out)
+
+      (let [error      (:error out)
+            error-data (ex-data error)]
+        (t/is (th/ex-info? error))))))
--- a/common/src/app/common/schema.cljc
+++ b/common/src/app/common/schema.cljc
@@ -1068,6 +1068,15 @@
     {:title "agent"
      :description "instance of clojure agent"}}))

+#?(:clj
+   (register!
+    {:type ::bytes
+     :pred bytes?
+     :type-properties
+     {:title "bytes"
+      :description "bytes array"}}))
+
+
 (register! ::any (mu/update-properties :any assoc :gen/gen sg/any))

 ;; ---- PREDICATES
Author	SHA1	Message	Date
Andrey Antukh	f08700945a	Merge remote-tracking branch 'origin/staging' into develop	2026-02-10 11:58:09 +01:00
Andrey Antukh	59711a1cf8	📎 Update changelog	2026-02-10 11:57:01 +01:00
Andrey Antukh	06e5825c8a	🐛 Add proper input checking to font related RCP method	2026-02-10 10:36:57 +01:00
Andrey Antukh	d30387eb77	⏪ Backport docker images changes from develop	2026-02-09 19:21:30 +01:00
Andrey Antukh	33fd672c21	⏪ Backport MCP related changes from develop (#8306 )	2026-02-09 18:00:43 +01:00