Skip to content

chore(release): promote release to master#41961

Merged
wyattwalter merged 5 commits into
masterfrom
release
Jul 7, 2026
Merged

chore(release): promote release to master#41961
wyattwalter merged 5 commits into
masterfrom
release

Conversation

@wyattwalter

@wyattwalter wyattwalter commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

Promotes the release branch into master.

Commits included

Automation

/ok-to-test tags="@tag.All"

Communication

Should the DevRel and Marketing teams be notified?

  • Yes
  • No

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/28883809142
Commit: 48ac053
Cypress dashboard.
Tags: @tag.All
Spec:


Tue, 07 Jul 2026 18:26:26 UTC

sebastianiv21 and others added 4 commits July 6, 2026 13:10
#41935)

## Description

> [!TIP]
> **TL;DR:** Follow-up to #41926. The dependency-build step it added ran
inside the unittest container, where the non-root container user can't
write to the bind-mounted workdir on Linux CI (`mkdir charts: permission
denied`). This runs `helm dependency build` natively on the runner via
`azure/setup-helm`, matching the pattern already used in
`helm-release.yml` / `helm-docs.yml`.

#41926 added a `helm dependency update` step so the Helm unit tests have
their subcharts available (the `.tgz` files under `deploy/helm/charts/`
are gitignored). That step ran helm **inside** the
`helmunittest/helm-unittest` container:

```yaml
docker run --rm -v $(pwd):/apps --entrypoint helm helmunittest/helm-unittest dependency update .
```

On the Linux CI runner the container runs as a non-root user that cannot
write into the bind-mounted workdir (owned by the runner user), so it
failed:

```
Error: mkdir charts: permission denied
```

It passed locally only because Docker Desktop on macOS ignores
bind-mount ownership.

**Fix:** install helm on the runner with `azure/setup-helm@v4` (pinned
`v4.1.4`) and run `helm dependency build` natively — the same approach
already used in `helm-release.yml` and `helm-docs.yml`. The `charts/`
dir is then created as the runner user, and the existing unittest
container reads it without issue.

```yaml
- name: Setup Helm
  uses: azure/setup-helm@v4
  with:
    version: v4.1.4

- name: Build chart dependencies
  run: helm dependency build
```

## Verification

Ran the new sequence locally against the chart:
- `helm dependency build` (native) → all 5 subcharts resolved (redis,
mongodb, postgresql, prometheus, mongodb-kubernetes)
- `helm-unittest .` (docker) → 13 suites, 67 tests, 7 snapshots — all
passing

Fixes `N/A` — CI infrastructure fix; follow-up to #41926.

## Automation

/ok-to-test tags="@tag.Sanity"

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/28547318249>
> Commit: 2b49886
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=28547318249&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Wed, 01 Jul 2026 21:31:26 UTC
<!-- end of auto-generated comment: Cypress test results  -->

## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Updated the Helm unit test workflow to install a pinned Helm binary
before running tests.
* Simplified chart dependency preparation in CI to use a runner-native
build, improving consistency.
* **Tests**
* Helm unit tests now run using the pinned Helm version and updated
dependency build flow for more reliable chart validation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
## Description

Adds authenticated Redis support to the Helm chart. A
pre-install/pre-upgrade hook Job generates the Redis password Secret
(referenced by `redis.auth.existingSecret`) when it does not already
exist, keeping the password stable across upgrades and ArgoCD re-syncs.
The password is injected into the Appsmith deployment by Secret
reference, so cleartext never lands in the ConfigMap.

**What changed**
- New helpers `appsmith.redisMasterHost`, `appsmith.redisSecretName`,
and `appsmith.redisPasswordInitImage`.
- Deployment assembles an authenticated `APPSMITH_REDIS_URL` from the
Secret (password var precedes the URL that references it via `$(VAR)`);
skipped when the user supplies their own
`applicationConfig.APPSMITH_REDIS_URL`.
- Redis init-container `ping` now passes `REDISCLI_AUTH` when auth is
enabled.
- ConfigMap-derived Redis URL and init-container host are gated on
`redis.auth.enabled` and routed through the shared host helper.
- New `redisAuth.passwordInit` image config (defaults to
`alpine/kubectl`) plus a pre-install/pre-upgrade hook
(`templates/hooks/redis.yaml`) that bootstraps the password Secret.
- `values.yaml` now enables `redis.auth` by default with
`existingSecret: appsmith-redis-secret` / `existingSecretPasswordKey:
redis-password`.
- `values.schema.json` entries and snapshot/test coverage
(`tests/redis_auth_test.yaml`, updated default snapshot).

**Reviewer notes**
- The Redis host helper assumes the release name does not contain
"redis" (otherwise the Bitnami subchart collapses its fullname and the
host would not match).
- `redisAuth` is intentionally kept separate from `redis` so it is never
forwarded to the Bitnami subchart.
- `passwordInit.image.tag` defaults to a floating `latest` because
upstream `alpine/kubectl` periodically retires older patch tags; pin it
for byte-level reproducibility.

## Automation

/ok-to-test tags="@tag.Sanity"

## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
  * Redis authentication enabled by default.
  * Automatic Redis password initialization and secure Secret creation.

* **Improvements**
  * Deployment now reliably wires Redis credentials and connection URL.
* Init/job logic uses computed Redis host and preserves existing
passwords across upgrades.

* **Tests**
* Added Helm chart tests covering Redis auth behaviors and deployment
wiring.

* **Documentation**
  * Updated Helm README and values schema for Redis auth configuration.

* **Chores**
  * Helm chart version bumped to 3.8.2.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

<!-- This is an auto-generated comment: Cypress test results  -->
> [!IMPORTANT]
> 🟣 🟣 🟣 Your tests are running.
> Tests running at:
<https://github.com/appsmithorg/appsmith/actions/runs/28814168686>
> Commit: 5b16282
> Workflow: `PR Automation test suite`
> Tags: `@tag.Sanity`
> Spec: ``
> <hr>Mon, 06 Jul 2026 18:31:09 UTC
<!-- end of auto-generated comment: Cypress test results  -->

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: subratadeypappu <subrata@appsmith.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Wyatt Walter <wyatt@appsmith.com>
Co-authored-by: Wyatt Walter <wyattwalter@gmail.com>
## Description

> [!TIP]
> **TL;DR** — On a private registry that only mirrors MongoDB's `-ubi8`
tags, there was no single value of `mongodbCommunity.version` that
worked, because the chart feeds it to two consumers with contradictory
suffix expectations. This makes the init-container image helper's
`-ubi8` append idempotent so one value drives both. Helm-chart-only
change; default behavior is byte-identical.

The chart derives **two** image references from the single
`mongodbCommunity.version` value, and on a **private registry** (a
mirror that only carries `-ubi8` tags) the two consumers demand
contradictory formats:

1. **MongoDBCommunity CR `spec.version`**
(`deploy/helm/templates/mongodb-community.yaml`) — consumed **verbatim**
by the MongoDB Community Operator. The operator only auto-appends
`-ubi8` for MongoDB's *official* registry URLs; for a private mirror it
uses the value as-is, so the CR must carry `8.0.20-ubi8` or `mongod`
can't pull.
2. **Init-container wait image** via the
`appsmith.mongoInitContainerImage` helper
(`deploy/helm/templates/_helpers.tpl`) — **always** appended `-ubi8`, so
a `8.0.20-ubi8` value produced `...:8.0.20-ubi8-ubi8`, which fails.

**Net:** with a single bare value there was no correct setting on a
private registry. The only workaround was to set `version:
"8.0.20-ubi8"` **and** separately override `initContainer.mongodb.image`
to the full path — two knobs kept in sync on every version bump.

### What changed

Make the helper strip a trailing `-ubi8` before re-appending it, so the
append is idempotent — both `8.0.20` and `8.0.20-ubi8` render
`...:8.0.20-ubi8`. The suffix is now defined once (`$suffix`) and used
for both the trim and the append, so they can't drift if it ever
changes. Private-registry users can now drive both consumers from
`version` alone; the `initContainer.mongodb.image` override is no longer
needed.

| `version` value | Registry | CR `spec.version` | Init image | Result |
|---|---|---|---|---|
| `8.0.20` | official (default) | `8.0.20` (operator appends `-ubi8`) |
`…:8.0.20-ubi8` | ✅ unchanged |
| `8.0.20-ubi8` | private mirror | `8.0.20-ubi8` (verbatim) |
`…:8.0.20-ubi8` (trimmed, not `-ubi8-ubi8`) | ✅ fixed, single knob |

The operator-side behavior (auto-append only for official URLs) is a
MongoDB limitation outside Appsmith's control; this fixes only the
chart-helper side. The default path is byte-identical (`8.0.20` still
renders `…:8.0.20-ubi8`), so existing snapshots are unaffected.

**Files:** `deploy/helm/templates/_helpers.tpl` (idempotent trim + doc),
`deploy/helm/values.yaml` (private-registry guidance),
`deploy/helm/tests/mongodb_operator_test.yaml` (2 new unittest cases).

**Testing:** `helm unittest deploy/helm` → 69 passed, 7 snapshots, 0
failed. Verified renders: `8.0.20` → `…:8.0.20-ubi8`; `8.0.20-ubi8` →
init `…:8.0.20-ubi8` (no double suffix) and CR `spec.version:
"8.0.20-ubi8"`.

Fixes #41937

## Automation

/ok-to-test tags=""

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!WARNING]
> Tests have not run on the HEAD
8fa87fc yet
> <hr>Mon, 06 Jul 2026 18:38:07 UTC
<!-- end of auto-generated comment: Cypress test results  -->

## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No

🤖 Generated with [Claude Code](https://claude.com/claude-code)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed MongoDB image tag handling so version strings that already
include the `-ubi8` suffix are no longer duplicated.
* Improved compatibility with private registries and mirrored image
tags.

* **Documentation**
* Added guidance on how to set MongoDB version values for registry
setups that use `-ubi8` tags.

* **Tests**
* Added coverage for MongoDB version rendering and container image tag
behavior when `-ubi8` is already present.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Wyatt Walter <wyattwalter@gmail.com>
## Description
`SmtpPluginTest` uses the `maildev/maildev` Testcontainers image without
a tag, which resolves to `:latest`. Maildev recently published a new RC
and tagged it `latest`, and it's broken in our test setup: the
container's internal exec-based readiness check fails (`/bin/sh:
/bin/bash: not found`, exit 137), and the test connects to the mapped
SMTP port before the listener is actually ready, causing intermittent
connection failures.

This pins both `GenericContainer` instances in `SmtpPluginTest` to
`maildev/maildev:2.2.1`, the last known-good tag (see [tags on Docker
Hub](https://hub.docker.com/r/maildev/maildev/tags)), to stop tracking
`latest` and avoid future silent breaks from upstream RCs.

### Context
Observed as a repeated CI failure on an EE release-promotion PR
(`server-unit-tests` shard 5), reproduced on both the initial run and a
retry.

## Test plan
- [ ] `server-unit-tests` (specifically `SmtpPluginTest`) passes
reliably in CI

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Updated SMTP test containers to use a pinned MailDev image version for
more consistent test execution.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@wyattwalter wyattwalter added the ok-to-test Required label for CI label Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (2)
  • pg
  • release

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7c2f3276-1891-4264-9c7e-48ff92ea0c90

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

…HSA-qhfj-g87x-m39w) (#41921)

## Summary

Closes
[GHSA-qhfj-g87x-m39w](https://github.com/appsmithorg/appsmith/security/advisories/GHSA-qhfj-g87x-m39w).
The Redis datasource plugin opened a Jedis connection to a
user-controlled host/port with no IP-class filtering, so a user with
datasource-create permission could point a Redis datasource at the
internal Appsmith Redis. The existing HTTP-side filter doesn't cover
Redis — Jedis uses the JVM's default resolver and bypasses the Reactor
Netty hook.

This PR also closes a DNS-rebinding TOCTOU on the same path and enforces
TLS certificate hostname verification for `rediss://` datasources (items
4 and 5 below).

## Changes

1. **Block Redis datasources from reaching the internal Appsmith
Redis.** `RedisPlugin.datasourceCreate` now consults a shared
`RestrictedHostFilter`. Blocks literal hostname / IP matches against
`APPSMITH_REDIS_URL` and `APPSMITH_REDIS_GIT_URL`, plus loopback /
link-local / cloud-metadata literals. Enforcement is connection-time
only — `PluginExecutor.validateDatasource` is documented format-only, so
host-policy belongs on the connection path. UX: Save succeeds, "Test
Datasource" rejects with `Host not allowed.`.

2. **Make SSRF protections always-on; rename `IN_DOCKER` to
`APPSMITH_DISABLE_SSRF_FILTER`.** The previous filter gated the loopback
/ link-local block on `IN_DOCKER=1`, which Appsmith's official Docker
image always sets — so users on documented deployment paths were already
getting this protection. This change closes the gap for unofficial
distributions (self-built images, bare-metal, etc.) and replaces a
poorly-named variable with one that actually describes what it does. The
most likely place to hit this is a development machine running the
server directly against `http://localhost:*` — set
`APPSMITH_DISABLE_SSRF_FILTER=true` to allow it.

3. **Extract `RestrictedHostFilter` from `WebClientUtils`.** Pure
refactor — the host-filter logic had already grown several non-HTTP call
sites and the class name had outgrown its scope.

4. **Close the DNS-rebinding TOCTOU on the Redis path (upgrade Jedis
3.3.0 → 5.2.0 + pin the resolved IP).** The create-time pre-check in (1)
and Jedis's own connection-time lookup resolved the hostname
independently, so a hostile resolver could return an allowed IP to the
check and the internal Redis IP to the driver. Jedis 5.2.0 (up from
3.3.0, which predated the API) allows injecting a `JedisSocketFactory`;
the new `RestrictedHostJedisSocketFactory` resolves once at connect
time, validates every resolved address, and connects directly to the
pinned IP — so the driver never re-resolves and the window is closed.
The create-time check stays as fast Save/Test UX and now logs the block
at WARN, tagged with the requesting user/org/trace (a useful
reconnaissance signal). Jedis is plugin-isolated (PF4J + shaded); the
server's own Redis runs on Lettuce and is untouched.

5. **Enforce TLS certificate hostname verification for `rediss://`
datasources.** Jedis 5.2.0 validates the certificate trust chain but
does not verify that the cert's SAN/CN matches the host (it only does so
by default in 7.5.0+), so a man-in-the-middle presenting any
CA-trusted-but-mismatched cert on the pinned IP would have been
accepted. The socket factory now sets the endpoint identification
algorithm to `HTTPS`, verifying against the configured hostname (we
connect to the pinned IP but hand the original hostname to the TLS layer
for SNI and verification). This was a pre-existing gap, not introduced
here; closing it now is low-risk because Redis TLS support is recent
(#41587, ~2026-03) and barely adopted, and chain validation was already
on — so only CA-trusted-but-mismatched certs and IP-addressed
`rediss://` (certs rarely carry IP SANs) are newly rejected.


6. **Housekeeping: drop dead `IN_DOCKER` references from Dockerfile /
deploy scripts / CI workflow.** No consumer left after the rename in
(2).

/ok-to-test tags="@tag.All"

## Test plan

- [x] CI green across all commits (Jedis 5.2.0 upgrade, socket factory,
TLS verification, logging).
- [x] Deploy preview: Redis datasource at \`localhost\` / in-cluster
Redis service DNS — Save accepted, Test rejected with \`Host not
allowed.\`. Legitimate external Redis works.
- [x] Connect-time SSRF rejection (the rebinding gate) covered by
`RedisPluginTest` (`socketFactory_blockedHost_failsAtConnectTime`). A
live end-to-end rebinding flip needs a changing resolver and was not
exercised on the DP (rbndr.us is unreachable from AWS).
- [x] Confirm the one existing `rediss://` user (Appsmith internal)
connects via a hostname matching its cert, now that hostname
verification is enforced.
- [x] Dev environment: confirm \`APPSMITH_DISABLE_SSRF_FILTER=true\`
unblocks \`http://localhost:*\` datasources during local development.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/28840292682>
> Commit: c795905
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=28840292682&attempt=2"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Tue, 07 Jul 2026 13:31:52 UTC
<!-- end of auto-generated comment: Cypress test results  -->


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

* **New Features**
* Added centralized SSRF/restricted host filtering with denylisting and
normalization.
* Enabled consistent enforcement across outbound web requests,
Elasticsearch DNS resolution, SMTP test-email, and Redis datasource
connections.
* Mitigated Redis DNS rebinding by validating once and pinning the
resolved address.

* **Bug Fixes**
* Blocked hosts now fail with a consistent “Host not allowed” error
across execution paths.

* **Tests**
  * Added dedicated host/IP blocking test suite.
* Updated integration tests to explicitly control SSRF filtering
enablement and state restoration during runs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@wyattwalter wyattwalter merged commit d847cf4 into master Jul 7, 2026
157 of 159 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ok-to-test Required label for CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants