Merge remote-tracking branch 'origin/staging' into develop

📎 Update changelog
🐛 Add proper input checking to font related RCP method
2026-02-10 06:34:43 -05:00 · 2026-02-10 11:58:09 +01:00 · 2026-02-10 11:57:01 +01:00 · 2026-02-10 10:36:57 +01:00 · 2026-02-09 19:21:30 +01:00 · 2026-02-09 18:00:43 +01:00
17 changed files with 60 additions and 44 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -35,6 +35,13 @@
 - Fix viewer can update library [Taiga #13186](https://tree.taiga.io/project/penpot/issue/13186)
 - Fix remove fill affects different element than selected [Taiga #13128](https://tree.taiga.io/project/penpot/issue/13128)

+## 2.13.2
+
+### :bug: Bugs fixed
+
+- Fix security issue (Path Traversal Vulnerability) on fonts related RPC method
+
+
 ## 2.13.1

 ### :bug: Bugs fixed
--- a/backend/src/app/rpc/commands/fonts.clj
+++ b/backend/src/app/rpc/commands/fonts.clj
@@ -89,7 +89,8 @@
 (def ^:private schema:create-font-variant
  [:map {:title "create-font-variant"}
   [:team-id ::sm/uuid]
-   [:data [:map-of ::sm/text ::sm/any]]
+   [:data [:map-of ::sm/text [:or ::sm/bytes
+                              [::sm/vec ::sm/bytes]]]]
   [:font-id ::sm/uuid]
   [:font-family ::sm/text]
   [:font-weight [::sm/one-of {:format "number"} valid-weight]]
--- a/backend/test/backend_tests/rpc_font_test.clj
+++ b/backend/test/backend_tests/rpc_font_test.clj
@@ -274,3 +274,30 @@
      (let [res (th/run-task! :storage-gc-touched {})]
        (t/is (= 0 (:freeze res)))
        (t/is (= 3 (:delete res)))))))
+
+(t/deftest input-sanitization-1
+  (with-mocks [mock {:target 'app.rpc.quotes/check! :return nil}]
+    (let [prof    (th/create-profile* 1 {:is-active true})
+          team-id (:default-team-id prof)
+          proj-id (:default-project-id prof)
+          font-id (uuid/custom 10 1)
+
+          ttfdata (-> (io/resource "backend_tests/test_files/font-1.ttf")
+                      (io/read*))
+
+          params  {::th/type :create-font-variant
+                   ::rpc/profile-id (:id prof)
+                   :team-id team-id
+                   :font-id font-id
+                   :font-family "somefont"
+                   :font-weight 400
+                   :font-style "normal"
+                   :data {"font/ttf" "/etc/passwd"}}
+          out     (th/command! params)]
+
+      (t/is (= 0 (:call-count @mock)))
+      ;; (th/print-result! out)
+
+      (let [error      (:error out)
+            error-data (ex-data error)]
+        (t/is (th/ex-info? error))))))
--- a/common/src/app/common/schema.cljc
+++ b/common/src/app/common/schema.cljc
@@ -1068,6 +1068,15 @@
     {:title "agent"
      :description "instance of clojure agent"}}))

+#?(:clj
+   (register!
+    {:type ::bytes
+     :pred bytes?
+     :type-properties
+     {:title "bytes"
+      :description "bytes array"}}))
+
+
 (register! ::any (mu/update-properties :any assoc :gen/gen sg/any))

 ;; ---- PREDICATES
--- a/docker/devenv/files/nginx.conf
+++ b/docker/devenv/files/nginx.conf
@@ -126,12 +126,6 @@ http {
            proxy_http_version 1.1;
        }

-        location /plugins {
-            autoindex on;
-            alias /home/penpot/penpot/plugins/dist/apps;
-            proxy_http_version 1.1;
-        }
-
        location /mcp/ws {
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -47,12 +47,12 @@
  "devDependencies": {
    "@penpot/draft-js": "workspace:./packages/draft-js",
    "@penpot/mousetrap": "workspace:./packages/mousetrap",
+    "@penpot/tokenscript": "workspace:./packages/tokenscript",
    "@penpot/plugins-runtime": "1.4.2",
    "@penpot/svgo": "penpot/svgo#v3.2",
    "@penpot/text-editor": "workspace:./text-editor",
-    "@penpot/tokenscript": "workspace:./packages/tokenscript",
-    "@penpot/ui": "workspace:./packages/ui",
    "@playwright/test": "1.58.0",
+    "@penpot/ui": "workspace:./packages/ui",
    "@storybook/addon-docs": "10.1.11",
    "@storybook/addon-themes": "10.1.11",
    "@storybook/addon-vitest": "10.1.11",
@@ -103,7 +103,6 @@
    "sass": "^1.89.0",
    "sass-embedded": "^1.89.0",
    "sax": "^1.4.1",
-    "scheduler": "^0.27.0",
    "source-map-support": "^0.5.21",
    "storybook": "10.1.11",
    "style-dictionary": "5.0.0-rc.1",
--- a/frontend/pnpm-lock.yaml
+++ b/frontend/pnpm-lock.yaml
@@ -187,9 +187,6 @@ importers:
      sax:
        specifier: ^1.4.1
        version: 1.4.4
-      scheduler:
-        specifier: ^0.27.0
-        version: 0.27.0
      source-map-support:
        specifier: ^0.5.21
        version: 0.5.21
--- a/plugins/angular.json
+++ b/plugins/angular.json
@@ -218,10 +218,7 @@
        "build": {
          "builder": "@angular-devkit/build-angular:application",
          "options": {
-            "outputPath": {
-              "base": "dist/apps/table-plugin",
-              "browser": ""
-            },
+            "outputPath": "dist/apps/table-plugin",
            "index": "apps/table-plugin/src/index.html",
            "browser": "apps/table-plugin/src/main.ts",
            "polyfills": ["zone.js"],
@@ -229,7 +226,6 @@
            "assets": [
              "apps/table-plugin/src/_headers",
              "apps/table-plugin/src/favicon.ico",
-              "apps/table-plugin/src/manifest.json",
              "apps/table-plugin/src/assets"
            ],
            "styles": [
@@ -360,10 +356,7 @@
        "build": {
          "builder": "@angular-devkit/build-angular:application",
          "options": {
-            "outputPath": {
-              "base": "dist/apps/colors-to-tokens-plugin",
-              "browser": ""
-            },
+            "outputPath": "dist/apps/colors-to-tokens-plugin",
            "index": "apps/colors-to-tokens-plugin/src/index.html",
            "browser": "apps/colors-to-tokens-plugin/src/main.ts",
            "polyfills": ["zone.js"],
@@ -371,7 +364,6 @@
            "assets": [
              "apps/colors-to-tokens-plugin/src/_headers",
              "apps/colors-to-tokens-plugin/src/favicon.ico",
-              "apps/colors-to-tokens-plugin/src/manifest.json",
              "apps/colors-to-tokens-plugin/src/assets"
            ],
            "styles": [
--- a/plugins/apps/colors-to-tokens-plugin/package.json
+++ b/plugins/apps/colors-to-tokens-plugin/package.json
@@ -6,7 +6,6 @@
  "scripts": {
    "build": "ng build colors-to-tokens-plugin",
    "build:dev": "ng build colors-to-tokens-plugin --configuration development",
-    "watch": "ng build colors-to-tokens-plugin --configuration development --watch",
    "serve": "ng serve colors-to-tokens-plugin",
    "lint": "eslint .",
    "test": "vitest"
--- a/plugins/apps/colors-to-tokens-plugin/src/app/app.config.ts
+++ b/plugins/apps/colors-to-tokens-plugin/src/app/app.config.ts
@@ -1,8 +1,6 @@
 import { ApplicationConfig } from '@angular/core';
-import { provideRouter, withHashLocation } from '@angular/router';
+import { provideRouter } from '@angular/router';

 export const appConfig: ApplicationConfig = {
-  providers: [
-    provideRouter([], withHashLocation())
-  ],
-};
+  providers: [provideRouter([])],
+};
--- a/plugins/apps/colors-to-tokens-plugin/src/assets/manifest.json
+++ b/plugins/apps/colors-to-tokens-plugin/src/assets/manifest.json
@@ -1,8 +1,7 @@
 {
  "name": "Colors to Tokens",
  "description": "Generate a design tokens file from a list of colors",
-  "version": 2,
-  "code": "assets/plugin.js",
-  "icon": "assets/icon.png",
+  "code": "/assets/plugin.js",
+  "icon": "/assets/icon.png",
  "permissions": ["content:read", "library:read", "allow:downloads"]
 }
--- a/plugins/apps/colors-to-tokens-plugin/src/index.html
+++ b/plugins/apps/colors-to-tokens-plugin/src/index.html
@@ -3,6 +3,7 @@
  <head>
    <meta charset="utf-8" />
    <title>colors-to-tokens-plugin</title>
+    <base href="/" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
  </head>
  <body>
--- a/plugins/apps/table-plugin/package.json
+++ b/plugins/apps/table-plugin/package.json
@@ -6,7 +6,6 @@
  "scripts": {
    "build": "ng build table-plugin",
    "build:dev": "ng build table-plugin --configuration development",
-    "watch": "ng build table-plugin --configuration development --watch",
    "serve": "ng serve table-plugin",
    "lint": "eslint .",
    "test": "vitest"
--- a/plugins/apps/table-plugin/src/app/app.config.ts
+++ b/plugins/apps/table-plugin/src/app/app.config.ts
@@ -1,7 +1,7 @@
 import { ApplicationConfig } from '@angular/core';
-import { provideRouter, withHashLocation } from '@angular/router';
+import { provideRouter } from '@angular/router';
 import { appRoutes } from './app.routes';

 export const appConfig: ApplicationConfig = {
-  providers: [provideRouter(appRoutes, withHashLocation())],
+  providers: [provideRouter(appRoutes)],
 };
--- a/plugins/apps/table-plugin/src/assets/manifest.json
+++ b/plugins/apps/table-plugin/src/assets/manifest.json
@@ -1,8 +1,7 @@
 {
  "name": "Table plugin",
  "description": "Table plugin to import or create tables",
-  "version": 2,
-  "code": "assets/plugin.js",
-  "icon": "assets/icon.png",
+  "code": "/assets/plugin.js",
+  "icon": "/assets/icon.png",
  "permissions": ["content:read", "content:write"]
 }
--- a/plugins/apps/table-plugin/src/index.html
+++ b/plugins/apps/table-plugin/src/index.html
@@ -3,6 +3,7 @@
  <head>
    <meta charset="utf-8" />
    <title>table-plugin</title>
+    <base href="/" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <link rel="icon" type="image/x-icon" href="favicon.ico" />
  </head>
--- a/plugins/apps/table-plugin/vite.config.ts
+++ b/plugins/apps/table-plugin/vite.config.ts
@@ -1,6 +0,0 @@
-/// <reference types="vitest/config" />
-import { defineConfig } from 'vite';
-
-export default defineConfig({
-  root: "./"
-});
Author	SHA1	Message	Date
Andrey Antukh	f08700945a	Merge remote-tracking branch 'origin/staging' into develop	2026-02-10 11:58:09 +01:00
Andrey Antukh	59711a1cf8	📎 Update changelog	2026-02-10 11:57:01 +01:00
Andrey Antukh	06e5825c8a	🐛 Add proper input checking to font related RCP method	2026-02-10 10:36:57 +01:00
Andrey Antukh	d30387eb77	⏪ Backport docker images changes from develop	2026-02-09 19:21:30 +01:00
Andrey Antukh	33fd672c21	⏪ Backport MCP related changes from develop (#8306 )	2026-02-09 18:00:43 +01:00