-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GSoC2024] Added additional security headers #7752
Conversation
Added headers for: X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Content-Security-Policy
Added headers for: X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Content-Security-Policy
Removed the CSP implemented
Removed the CSP implemented
@SpecLad Have done the proposed changes |
Made it more descriptive Co-authored-by: Roman Donchenko <rdonchen@outlook.com>
changed the configuration for referrer policy Co-authored-by: Roman Donchenko <rdonchen@outlook.com>
WalkthroughThis update enhances security by adding Changes
Assessment against linked issues
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Review Details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (3)
- changelog.d/20240319_014508_mann.compi.md (1 hunks)
- cvat-ui/react_nginx.conf (1 hunks)
- cvat/nginx.conf (1 hunks)
Files skipped from review due to trivial changes (3)
- changelog.d/20240319_014508_mann.compi.md
- cvat-ui/react_nginx.conf
- cvat/nginx.conf
Thank you for the contribution. FYI, I unlinked this PR from #7398. I'd like to keep that issue open, since we haven't implemented Content-Security-Policy yet. |
* Move rego files into their respective apps (#7806) This is the promised sequel to #7734. After this change, the `iam` app will no longer contain any code specific to other apps. To make this work, the `/api/auth/rules` endpoint will now construct the OPA bundle from a set of paths, which will be populated by `load_app_permissions`. Move OPA test files accordingly. Fortunately, `opa test` accepts multiple directories, so it is trivial to adapt the testing instructions. Make the necessary adaptations to `generate_tests.py` to search for test generators in every app. The original parameters of `generate_tests.py` don't really make sense when there are multiple `rules` directory, so remove them. Instead, add a new `--apps-dir` parameter. This parameter isn't really needed to test the open source version of CVAT, but I expect it to be useful for testing the Enterprise version. In addition, add some safety checks to `generate_tests.py`: * Make sure that we find at least one test generator. * Propagate exceptions from `call_generator` into the main thread. ### How has this been tested? I tested the updated commands from the documentation manually, and examined the rules bundle returned by `/api/auth/rules` to ensure that it still contains all the `.rego` files. * Fixed incorrect Cloud Storage request by ID (#7823) * Opening update CS page sends infinite requests when CS id does not exist (#7828) = * Fixed duration of 'change:frame' event (#7817) * Save video if test failed (#7807) * Modernize Rego syntax (#7824) Open Policy Agent v0.59 introduced a new directive (`import rego.v1`) that ensures that the file is compatible with OPA v1 (to be released in the future). Add this directive to all Rego files and update the syntax accordingly. Which involves the following: * Rewrite all rules to use the `if` keyword, which is now mandatory. * Where appropriate, use the `in` keyword, which is now available without a future import. It's not mandatory, but it looks much nicer. In addition, update Regal to the latest version, which now enforces the use of `import rego.v1` by default. * Optimized analytics requests to ClickHouse (#7804) * Update the Nuclio version (#7787) Old verison of Nuclio has some vulnerabilities and it needs to be updated. Function dependencies have also been updated. The `mask_rcnn` function has been removed because `mask_rcnn` using python 3.6. In new version of Nuclio python3.6 is no longer supported. Nuclio officially recommends using python3.9. Running `mask_rcnn` on python3.9 causes errors within the function and package conflicts. * Fixed: Cannot read properties of undefined (reading 'addClass') (#7834) * fix[security]: Disable nginx server signature by default (#7814) * Enhanced uploading files with tus protocol, enabled retries (#7830) * Fixed exception when copy/paste a skeleton point (#7843) * Added ability to call analytics report manually (#7805) * Use CPU PyTorch for testing the SDK (#7825) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> Not only is the GPU version of PyTorch much bigger than the CPU version, but it also pulls in CUDA, which is enormous. We don't (and can't) use any GPU features in our tests, so we don't need the GPU version. Using the CPU version saves ~4GB of disk space, which is a lot, because the standard GitHub runners only offer 14 GB. ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - ~~[ ] I have created a changelog fragment~~ <!-- see top comment in CHANGELOG.md --> - ~~[ ] I have updated the documentation accordingly~~ - ~~[ ] I have added tests to cover my changes~~ - ~~[ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))~~ - ~~[ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))~~ ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Chores** - Enhanced the installation process by adding an extra index URL for PyTorch CPU wheels to improve SDK setup reliability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Update server dependencies (#7845) * Bump tqdm from 4.60.0 to 4.66.3 in /utils/dicom_converter (#7848) * Do not allow to remove latest keyframe from UI (#7844) * Optimized requests to analytics DB, using timestamps, to avoid going trough the whole table (#7833) * Fix task creation with video file when there are no valid keyframes (#7838) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Fixed an issue where task creation from videos without valid keyframes could cause errors. - **New Features** - Enhanced video stream handling to support videos without keyframes. - Improved manifest management with new checks for empty states and better index handling. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * [GSoC2024] Added feature to show tags corresponding to GT job and manual job in a separate row (#7774) Fixes #7773 and #7749 Added feature to show tags corresponding to GT job and manual job in a separate row. Along with the tags of the GT job have a mark of '(GT)' in them. ### How has this been tested? When we want to see both manual annotations and GT annotations: <img width="1217" alt="image loading..." src="https://github.com/cvat-ai/cvat/assets/72168180/362a1728-24f3-43cb-ac4d-1571ebc5faaf"> When we only want to see the annotations for the manual annotations job: <img width="1217" alt="image loading..." src="https://github.com/cvat-ai/cvat/assets/72168180/443fbf56-cd86-404b-bd6d-28351738dddf"> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> ~- [ ] I have updated the documentation accordingly~ ~- [ ] I have added tests to cover my changes~ - [x] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) ~- [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))~ ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Introduced display tags for Ground Truth (GT) and manual jobs in a separate row, with GT tags marked for easy identification. - Enhanced tag highlighting in the annotation interface to better indicate conflicts. - **Style** - Implemented new styles for frame tags to improve visual distinction when highlighted. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Kirill Lakhov <kirill.9992@gmail.com> Co-authored-by: Maxim Zhiltsov <zhiltsov.max35@gmail.com> * Fixed vertical polylines difficult to select (#7860) * Make `generate_tests.py` work with relative `--apps-dir` values (#7851) In #7806 I goofed and made the `--apps-dir` option work only with absolute paths. This patch fixes that. * Fixed cannot read property 'annotations' of null (#7857) * [GSoC2024] Added quality reporting for Tag annotations (#7582) Fixes #7424 This PR adds quality computations for Tag annotations. * Avoid fetching a list of shapes/tags from db, optimized fetching tracks (#7852) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [x] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Refactor** - Updated the method for counting objects in analytics reports to improve accuracy. - Made internal methods for initializing tags, shapes, and tracks publicly accessible, enhancing external usability. - **Bug Fixes** - Fixed import paths for better module integration and reliability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Prevent losing tracked attributes when moving to a project (#7863) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Improved object tracking by adding a new model `TrackedShapeAttributeVal` for enhanced performance and accuracy. - Resolved issue of lost tracked attribute values when moving tasks to projects. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Prepare release v2.13.0 * Update develop after v2.13.0 * Remove tasks by projectId from state after deleting project (#7854) * helm-chart: prevent Traefik from ignoring the backend ingress rule (#7859) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> There is a condition that may occur during Kubernetes deployment, where the frontend service already has an endpoint (i.e. the frontend pod), but the backend service does not. For example, the backend pod may not have started yet or the service controller may not have had time to react to the backend pod. In this case, when Traefik serves a request with an `/api/...` path, it will see that it matches the `/api` rule, but since the corresponding service has no endpoints, it will _skip_ that rule and try other rules. And since the `/` rule matches everything, it will then route the request to the frontend. This is confusing and unhelpful, and more importantly, it makes health checks return the wrong result. Since the frontend will serve `index.html` to every request, a request to `/api/server/health/` or `/api/server/about` will return a 200 code, even though the server isn't actually up. Because of this bug, I have observed weird failures in the Helm workflow, where the "Wait for CVAT to be ready" step completes, but CVAT is not actually ready. (FYI: The failures I've seen are actually in a private repo, but the failure condition could occur in this repo too. It's just more likely in a private repo, because GitHub uses smaller runners in private repos.) The fix is simple: use the `allowEmptyServices` Traefik setting, which disables the rule skipping behavior. With this setting on, Traefik will return a 503 response for backend URLs until the backend service gains an endpoint. ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> I deployed the Helm chart, then ran a `kubectl delete deployments.apps cvat-backend-server` to simulate the server being unavailable. Then I curled the `/api/server/health/` endpoint. ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - ~~[ ] I have updated the documentation accordingly~~ - ~~[ ] I have added tests to cover my changes~~ - ~~[ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))~~ - ~~[ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))~~ ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Fixed an issue to prevent incorrect 200 OK responses from API endpoints before backend readiness. - **New Features** - Updated Helm chart to support configurations that allow empty services in the Kubernetes Ingress provider. - **Documentation** - Updated version in Helm chart documentation from `0.12.0` to `0.12.1`. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Fixed calculation of metrics for analytics reports (#7144) * Check UI does not crash if to activate an object while frame fetching (#7873) * Fix creating chunks with original quality from png images (#7899) * Update helm (#7894) Added ability to specify ServiceAccount for backend pods Removed passing of DJANGO_MODWSGI_EXTRA_ARGS env variable to server pod Do not set database host and port env variables if they are empty * fixed server for duplicate attribute names (#7890) * Fixed object count in analytics for skeletons and tracks (#7883) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Corrected an issue where analytics reported an incorrect count of objects for skeleton tracks/shapes. - Fixed a bug where the analytic report consistently showed one less object for tracks than the actual count. - **Improvements** - Enhanced filtering logic for shapes and tracks in analytics, improving the accuracy of annotation speed metrics. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Fix CI-nightly tests and refactoring cypress config (#7908) * Fixed analytics report: working time rounding to minimal 1 hour is not applied to annotation speed anymore (#7898) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context Depends on #https://github.com/cvat-ai/cvat/pull/7883 ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Corrected an issue where analytic reports showed an incorrect count of objects for skeleton tracks and shapes. - **Improvements** - Renamed metrics related to annotation speed from total to average for jobs, tasks, and projects. - Updated descriptions for annotation speed metrics to specify the number of objects per hour. - Removed unnecessary clamping function for working time statistics. These changes enhance the accuracy and clarity of analytic reports, providing more meaningful insights into annotation speeds and object counts. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Fixed exception: Cannot read properties of undefined (reading 'onBloc… (#7913) * Fixed one way to create an empty mask (#7915) * check creating task with video without valid keyframes * fix before commands * remove extra check * Fixed updating job/task status after changing job state (#7901) * Array.toReversed replaced by Array.reduceRight because of better comp… (#7916) * [GSoC2024] Added additional security headers (#7752) Added security headers for Referrer-Policy, X-Content-Type-Options. Referring to Issue https://github.com/cvat-ai/cvat/issues/7398, Added additional security headers. Added to address the deduction in security score rating third party scanners. - Referrer-Policy "strict-origin-when-cross-origin";: Limit the referrer information sent when a user navigates away from the website - X-Content-Type-Options "nosniff";: Prevent browsers from attempting to MIME-sniff the content type of a response to reduce risk of XSS and Content Injection Co-authored-by: Roman Donchenko <rdonchen@outlook.com> * Fixed skeleton selection algorithm (#7921) * add rest api test * remove extra video file * remove unused task * fix video file path * Ignore ground truth jobs when compute analytics report for a task/project (#7919) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. * Prepare release v2.14.0 * Update develop after v2.14.0 * replace test video * formatted code * add copy videos folder * Update cypress version (#7929) * Upgrade React and Antd till the latest version (#7466) * Fixed conflicts highlight crash in case of hidden by `zOrder` objects (#7917) * Fixed couple of not stable Cypress tests (#7937) * Fix missing serviceName field in kvrocks (issue #7741) (#7924) Add the serviceName field to the kvrocks StatefulSet as per the Kubernetes specification. This change ensures that the service name is correctly associated with the StatefulSet pods, allowing for proper DNS resolution and service discovery within the cluster. Fixes #7741 ### Motivation and context The Helm installation is currently failing as reported in issue #7741 ### How has this been tested? ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Resolved the issue of a missing `serviceName` field in `kvrocks`, ensuring proper configuration and improved stability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Fix login when email domain contains capital symbols and user was created after invitation to some org (#7906) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Improved email creation process to ensure the use of the normalized email from the user object, enhancing data consistency and reducing errors. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Fixed .ant-modal-wrapper kept after closing saving modal (#7948) * use other method to get path * Fix dataset downloading (#7864) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> This PR addresses several problems: - when requesting a dataset download, it's possible to get the 500 error with the message "The result file does not exist in export cache", which isn't expected for this request - when downloading the dataset the same error can be obtained if the file is requested right before the cache expiration - there are several [TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) bugs related to dataset cache file existence checks - under some conditions, it's possible that the export job is never started - the finished RQ jobs were removed automatically on result reporting (after the client requested the result). This made it hard to debug problems for admins, as the jobs were often removed already This PR fixes the problems by the following: - introduced dataset cache file locking (via redis) during reading, writing, and removal - the 500 error is changed to automatic reexporting attempt on export status request - the 500 error is changed to 404 when the file is not available for downloading - the exported files are now have different names for each instance update time - the lifetime of the exported files is now automatically prolonged on each export request for the file (given the export is still valid) - the deferred export jobs are now checked to have ghost dependencies. If so, the requested job is restarted - added several environment variables for configuration - <s>finished RQ export jobs are not removed automatically on result retrieval. Now, they just use the export cache lifetime instead (should be continued in another PR)</s> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [ ] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Improved reliability of file handling during export and cleanup processes. - Introduced new functionality for managing export cache locks and directories. - **Bug Fixes** - Addressed race conditions in concurrent export and cleanup operations. - **Dependencies** - Updated multiple packages to their latest versions for enhanced security and performance: - `cryptography` to `42.0.7` - `django` to `4.2.13` - `django-health-check` to `3.18.2` - `freezegun` to `1.5.1` - `jinja2` to `3.1.4` - `limits` to `3.12.0` - `lxml` to `5.2.2` - `orjson` to `3.10.3` - Added `pottery` version `3.0.0` - Updated `tqdm` to `4.66.4` <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Fixed working time lost in click:element events (#7942) * Aborted enabling black linter onsave in vscode (#7956) * Delete extra comma (#7957) * Fix a non-deterministic webhook test (#7952) `test_two_project_webhooks_intersection` is supposed to trigger each webhook once. However, the first one of these webhooks actually gets triggered twice, because creating a task causes the project's `updated_date` to be bumped, which triggers an `update:project` event. The test still passes a lot of the time (I guess because the second delivery doesn't appear immediately?), but sometimes it fails. It's very easy to make it fail consistently, though - just add a `sleep(5)` before the `get_deliveries` calls. Fix this by changing the first webhook's second event to something that will not be triggered. * Improved `DatasetNotFound` error message (#7923) The recent changes enhance the dataset import functionality across various dataset formats in the CVAT application by integrating specific importers from the Datumaro library. The updates streamline the detection of datasets, improve error handling, and introduce new tests to ensure robustness against incorrect file structures during import operations. * Fix automatic `tag` annotation support (#7839) * Update packages with vulnerability (#7951) * Cannot set properties of undefined (setting 'serverID') (#7949) * Fixed some deprecation warnings (#7970) * Added license information regarding '/serverless' directory (#7967) * Stabilized the cypress test for fix CI-nightly runs (#7966) * Squashed `zoom:image` and `send:exception` client events (#7953) * Fix memory consumption when exporting to azure blob storage (#7960) Fix memory consumption when exporting to azure blob storage * Fixed several issues related to creating tasks with cloud data (#7969) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> @coderabbitai summary ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [x] I have added tests to cover my changes (*partially*) - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Improved media download performance with parallel downloading. - Enhanced file handling with the new `NamedBytesIO` class. - Added support for specifying stop frames in task manifest generation. - Enhanced `DatasetImagesReader` to handle generator sources. - **Performance Improvements** - Optimized image download methods to use threading for faster processing. - **Configuration** - Introduced new settings for maximum threads and files per thread in cloud data downloading. These updates enhance the flexibility, performance, and configurability of media handling and downloading in the application. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Using dedicated event to store working time (#7958) - Parsing JSON payloads to get `working_time` in general leads to low performance in Clickhouse requests. This patch will not fix it right now, but with this patch, after a period of time we may switch to new quick approach to calculate working time. - There will not be a lot of `send:working_time` events, we may store this scope of events for a longer time (e.g. 5 years instead of one by default). - Finally storing working time in such events like `click:element` or `send:exception`, or `debug:info` seems not logical. - Also, the history showed, that as result in different bugs, these events may sometime lose information about `job_id`, `task_id`, etc. Resolved #7884 * Update README.md (#7980) * Check non-existent cloud storage update page (#7972) * Annotation interface documentation updated (#7947) * Bump requests from 2.31.0 to 2.32.2 in /tests/python (#7954) * Updated icon (#7981) * Fixed layout on create cloud storage page (#7985) * Prepare release v2.14.1 * Update develop after v2.14.1 * Fixed: Queued jobs are not considered in deferring logic (#7907) * Stabilized the cypress test for fix CI-nightly runs 2 (#7971) * Update datumaro format description (#7992) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> Skeletons are not supported in this format ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [ ] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Updated the `Datumaro 1.0` format to support `Tags` instead of `Tracks`. - Expanded documentation to include support for additional annotation types like Polylines, Masks, Points, Cuboids, and Tags in both export and import operations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Fixed ImageBitmap memory leak (#7995) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context Resolved #7909 Resolved #7850 ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [x] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Addressed a significant memory leak issue by ensuring `ImageBitmap` objects are properly closed after use. - Updated various components to handle cleanup and termination of workers and instances correctly, preventing potential resource leaks. - **Version Updates** - Updated `cvat-canvas` to version 2.20.3. - Updated `cvat-core` to version 15.0.6. - Updated `cvat-data` to version 2.1.0. <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Updated documentation (one item was missing in the list of events saving triggers) (#8001) * Prepare release v2.14.2 * Update develop after v2.14.2 * Rename kvrocks port (#8010) Fix connection error issue in case of istio usage: https://istio.io/v1.0/docs/setup/kubernetes/spec-requirements/#:~:text=Named%20ports%3A%20Service%20ports%20must,but%20name%3A%20http2foo%20is%20not. * Fixed login with token without next parameter (#7999) * Increased server health check timeout (#7993) * Fixed: Cannot read properties of null (reading 'draw') (#7997) * Remove unnecessary fields from the `/api/lambda/functions` response (#8004) Remove several fields that haven't been used for one reason or another: * `labels` and `attributes` have been replaced by `labels_v2`. Keeping them around nearly triples the response length. * `framework` hasn't been used by the UI since #5635, and IMO was never useful to begin with. There are no decisions that the UI can take based on this field, so it's essentially just a freeform text field, and we already have a freeform text field - `description`. (Which... the UI doesn't display either. But it could!) Remove the `framework` field from the function descriptions as well, since it has no other purpose. * `state` has, as far I could determine, never been used by the UI. I could see a field like this potentially being useful (e.g. the UI could still display a function, but prevent it from being used if it's unavailable), but since none of that is implemented right now, I see no reason to have this field in the API. * Fixed exception: State cannot be updated during editing, need to finish current editing first (#8019) * Check creating cloud storage without manifest file (#7984) * Number of Org Members (#8015) Updated number of members <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [ ] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Updated details for the Solo and Team plans on CVAT.ai: - Solo Plan: Adjusted the number of members allowed from "up to 3 members" to "up to 2 members". - Team Plan: Adjusted the number of members required to pay for from "4 seats (3 annotators + 1 organization owner)" to "3 seats (2 annotators + 1 organization owner)". <!-- end of auto-generated comment: release notes by coderabbit.ai --> * Merge pull request from GHSA-q684-4jjh-83g6 S3 storages support user-specified endpoint URLs, and Azure storages support user-specified connection strings (which can contain endpoint URLs), so they are susceptible to SSRF. Make S3 and Azure requests go through smokescreen to fix this. AFAIK, there is no way to configure a custom URL for Google Cloud storages, so those aren't vulnerable. Co-authored-by: Nikita Manovich <nikita@cvat.ai> * Merge pull request from GHSA-jpf9-646h-4px7 * Mitigate a CSRF vulnerability in export and backup-related endpoints While Django has built-in CSRF protection (which we use), it does not cover GET requests, and AFAICS, there is no way to force it to do that. Unfortunately, the many endpoints that initiate dataset exports and backups do accept GET requests _and_ initiate side effects, making them susceptible. The proper fix for this issue would be to redesign those endpoints to use POST requests, but a) that's more complicated, and b) we should still keep the old endpoints for backwards compatibility. So apply a less proper fix, which is to disable session authentication for the affected endpoints. It's a bit complex, because in some cases (particularly when `action=download`) we _need_ session authentication to work, because the UI redirects the user to such endpoints. In addition, modify the handling logic for these endpoints in order to ensure that when `action=download`, no side effects are triggered. Previously, `action=download` would still queue an RQ job if none existed. Even after this, `action=download` will still have two small side effects: * An existing RQ job will be deleted if its results are out of date. I don't think this is a problem, because such a job cannot be used anyway. * A completed RQ job will be deleted too. This is a problematic design, but I don't think an attacker can achieve anything by exploiting this. If an attacker maliciously redirects the user to an `action=download` URL, then they'll just download the export/backup as usual. Some tests were making export requests incorrectly, so fix them. * Add test for the CSRF workaround * Prepare release v2.14.3 * Update develop after v2.14.3 * Remove `ModelKind.CLASSIFIER` (#8011) I'd like the "kind" field in the API to identify the function's "signature", or the types of values it receives as input and produces as output. Classifiers have the same signature as detectors, so `classifier` is a redundant value. Besides improving semantic purity, removing this redundant value simplifies the UI code. The only meaningful difference between how the UI handles classifiers, as compared to detectors, is that it shows the word "classifier" in the model modal, which can be helpful. But we can achieve the same thing by examining the function's `return_type` field. This lets us give a special label to segmentation functions, as well. "classifier" can't actually be returned by `/api/lambda/functions`, but it _can_ be returned by the RoboFlow/Hugging Face function API in CVAT Enterprise. So we'll need a small compatibility shim to transform this value to "detector" until I fix that API to stop returning it too. * Change minio host server definition (#8032) * Stop editing when n key pressed (#7922) * Allowed editing in single shape annotation mode (#8017) * Fix server cache cleanup for backups and events (#8040) In #7864 the cache cleanup function was updated. The function was not supposed to be called for anything except datasets, but it was called for backups and events. This PR changes these clients to use their own functions. - Fixed `ValueError: Couldn't parse filename components in 'c71eba87-0914-4ccb-b883-a1bf1612fbf8.csv'` errors * CVAT Architecture documentation update (#8031) <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.githu…
Added security headers for Referrer-Policy, X-Content-Type-Options, Content-Security-Policy.
Motivation and context
Referring to Issue #7398, Added additional security headers. Added to address the deduction in security score rating third party scanners.
Referrer-Policy "strict-origin-when-cross-origin";: Limit the referrer information sent when a user navigates away from the website
X-Content-Type-Options "nosniff";: Prevent browsers from attempting to MIME-sniff the content type of a response to reduce risk of XSS and Content Injection
How has this been tested?
Checklist
develop
branch(cvat-canvas,
cvat-core,
cvat-data and
cvat-ui)
License
Feel free to contact the maintainers if that's a concern.
Summary by CodeRabbit
Referrer-Policy
headers for cross origins.X-Content-Type-Options
headers.