Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GSoC2024] Added additional security headers #7752

Merged
merged 12 commits into from
May 20, 2024
Merged

Conversation

mach-12
Copy link
Contributor

@mach-12 mach-12 commented Apr 11, 2024

Added security headers for Referrer-Policy, X-Content-Type-Options, Content-Security-Policy.

Motivation and context

Referring to Issue #7398, Added additional security headers. Added to address the deduction in security score rating third party scanners.

  • Referrer-Policy "strict-origin-when-cross-origin";: Limit the referrer information sent when a user navigates away from the website

  • X-Content-Type-Options "nosniff";: Prevent browsers from attempting to MIME-sniff the content type of a response to reduce risk of XSS and Content Injection

How has this been tested?

Checklist

  • I submit my changes into the develop branch
  • I have created a changelog fragment
  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • I have linked related issues (see GitHub docs)
  • I have increased versions of npm packages if it is necessary
    (cvat-canvas,
    cvat-core,
    cvat-data and
    cvat-ui)

License

  • I submit my code changes under the same MIT License that covers the project.
    Feel free to contact the maintainers if that's a concern.

Summary by CodeRabbit

  • New Features
    • Enhanced security with the addition of strict Referrer-Policy headers for cross origins.
    • Disabled MIME type sniffing via X-Content-Type-Options headers.

mach-12 and others added 8 commits March 17, 2024 20:41
Added headers for:
X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Content-Security-Policy
Added headers for:
X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Content-Security-Policy
Removed the CSP implemented
Removed the CSP implemented
@mach-12
Copy link
Contributor Author

mach-12 commented Apr 11, 2024

@SpecLad Have done the proposed changes

cvat-ui/react_nginx.conf Outdated Show resolved Hide resolved
cvat/nginx.conf Outdated Show resolved Hide resolved
changelog.d/20240319_014508_mann.compi.md Outdated Show resolved Hide resolved
mach-12 and others added 3 commits April 15, 2024 21:08
Made it more descriptive

Co-authored-by: Roman Donchenko <rdonchen@outlook.com>
changed the configuration for referrer policy

Co-authored-by: Roman Donchenko <rdonchen@outlook.com>
Copy link
Contributor

coderabbitai bot commented May 20, 2024

Walkthrough

This update enhances security by adding Referrer-Policy and X-Content-Type-Options headers to the server configurations in the cvat-ui/react_nginx.conf and cvat/nginx.conf files, ensuring that cross-origin referrer information is restricted and MIME type sniffing is disabled.

Changes

Files Change Summary
changelog.d/20240319_014508_mann.compi.md Introduced security enhancements by adding strict Referrer-Policy headers and disabling MIME type sniffing via X-Content-Type-Options.
cvat-ui/react_nginx.conf Updated the server configuration to include Referrer-Policy and X-Content-Type-Options headers.
cvat/nginx.conf Added add_header directives in the http block to set Referrer-Policy and X-Content-Type-Options headers.

Assessment against linked issues

Objective (Issue #7398) Addressed Explanation
Ensure Referrer-Policy header is present in responses
Ensure X-Content-Type-Options header is present in responses

In the code's embrace, security's light,
Headers now guard with all their might.
Referrer-Policy stands tall and clear,
MIME sniffing's end is finally here.
🐇✨


Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share
Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai generate interesting stats about this repository and render them as a table.
    • @coderabbitai show all the console.log statements in this repository.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Review Details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits Files that changed from the base of the PR and between 90d5e1f and 5c0f80e.
Files selected for processing (3)
  • changelog.d/20240319_014508_mann.compi.md (1 hunks)
  • cvat-ui/react_nginx.conf (1 hunks)
  • cvat/nginx.conf (1 hunks)
Files skipped from review due to trivial changes (3)
  • changelog.d/20240319_014508_mann.compi.md
  • cvat-ui/react_nginx.conf
  • cvat/nginx.conf

@SpecLad SpecLad merged commit 146e188 into cvat-ai:develop May 20, 2024
32 checks passed
@SpecLad
Copy link
Contributor

SpecLad commented May 20, 2024

Thank you for the contribution.

FYI, I unlinked this PR from #7398. I'd like to keep that issue open, since we haven't implemented Content-Security-Policy yet.

@cvat-bot cvat-bot bot mentioned this pull request May 21, 2024
fahadb-kt added a commit to fahadb-kt/cvat that referenced this pull request Aug 21, 2024
* Move rego files into their respective apps (#7806)

This is the promised sequel to #7734. After this change, the `iam` app
will no longer contain any code specific to other apps.

To make this work, the `/api/auth/rules` endpoint will now construct the
OPA bundle from a set of paths, which will be populated by
`load_app_permissions`.

Move OPA test files accordingly. Fortunately, `opa test` accepts
multiple directories, so it is trivial to adapt the testing
instructions.

Make the necessary adaptations to `generate_tests.py` to search for test
generators in every app. The original parameters of `generate_tests.py`
don't really make sense when there are multiple `rules` directory, so
remove them.

Instead, add a new `--apps-dir` parameter. This parameter isn't really
needed to test the open source version of CVAT, but I expect it to be
useful for testing the Enterprise version.

In addition, add some safety checks to `generate_tests.py`:

* Make sure that we find at least one test generator.

* Propagate exceptions from `call_generator` into the main thread.


### How has this been tested?
I tested the updated commands from the documentation manually, and
examined the rules bundle returned by `/api/auth/rules` to ensure that
it still contains all the `.rego` files.

* Fixed incorrect Cloud Storage request by ID (#7823)

* Opening update CS page sends infinite requests when CS id does not exist (#7828)

=

* Fixed duration of 'change:frame' event (#7817)

* Save video if test failed (#7807)

* Modernize Rego syntax (#7824)

Open Policy Agent v0.59 introduced a new directive (`import rego.v1`)
that ensures that the file is compatible with OPA v1 (to be released in
the future).

Add this directive to all Rego files and update the syntax accordingly.
Which involves the following:

* Rewrite all rules to use the `if` keyword, which is now mandatory.

* Where appropriate, use the `in` keyword, which is now available
without a future import. It's not mandatory, but it looks much nicer.

In addition, update Regal to the latest version, which now enforces the
use of `import rego.v1` by default.

* Optimized analytics requests to ClickHouse (#7804)

* Update the Nuclio version (#7787)

Old verison of Nuclio has some vulnerabilities and it needs to be
updated. Function dependencies have also been updated.

The `mask_rcnn` function has been removed because `mask_rcnn` using
python 3.6. In new version of Nuclio python3.6 is no longer supported.
Nuclio officially recommends using python3.9. Running `mask_rcnn` on
python3.9 causes errors within the function and package conflicts.

* Fixed: Cannot read properties of undefined (reading 'addClass') (#7834)

* fix[security]: Disable nginx server signature by default (#7814)

* Enhanced uploading files with tus protocol, enabled retries (#7830)

* Fixed exception when copy/paste a skeleton point (#7843)

* Added ability to call analytics report manually (#7805)

* Use CPU PyTorch for testing the SDK (#7825)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->
Not only is the GPU version of PyTorch much bigger than the CPU version,
but it also pulls in CUDA, which is enormous. We don't (and can't) use
any GPU features in our tests, so we don't need the GPU version.

Using the CPU version saves ~4GB of disk space, which is a lot, because
the standard GitHub runners only offer 14 GB.

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- ~~[ ] I have created a changelog fragment~~ <!-- see top comment in
CHANGELOG.md -->
- ~~[ ] I have updated the documentation accordingly~~
- ~~[ ] I have added tests to cover my changes~~
- ~~[ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))~~
- ~~[ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))~~

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Chores**
- Enhanced the installation process by adding an extra index URL for
PyTorch CPU wheels to improve SDK setup reliability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Update server dependencies (#7845)

* Bump tqdm from 4.60.0 to 4.66.3 in /utils/dicom_converter (#7848)

* Do not allow to remove latest keyframe from UI (#7844)

* Optimized requests to analytics DB, using timestamps, to avoid going trough the whole table (#7833)

* Fix task creation with video file when there are no valid keyframes (#7838)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit


- **Bug Fixes**
- Fixed an issue where task creation from videos without valid keyframes
could cause errors.
- **New Features**
	- Enhanced video stream handling to support videos without keyframes.
- Improved manifest management with new checks for empty states and
better index handling.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* [GSoC2024] Added feature to show tags corresponding to GT job and manual job in a separate row (#7774)

Fixes #7773 and #7749

Added feature to show tags corresponding to GT job and manual job in a
separate row. Along with the tags of the GT job have a mark of '(GT)' in
them.

### How has this been tested?
When we want to see both manual annotations and GT annotations:
<img width="1217" alt="image loading..."
src="https://github.com/cvat-ai/cvat/assets/72168180/362a1728-24f3-43cb-ac4d-1571ebc5faaf">

When we only want to see the annotations for the manual annotations job:
<img width="1217" alt="image loading..."
src="https://github.com/cvat-ai/cvat/assets/72168180/443fbf56-cd86-404b-bd6d-28351738dddf">



### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
~- [ ] I have updated the documentation accordingly~
~- [ ] I have added tests to cover my changes~
- [x] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
~- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))~

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Introduced display tags for Ground Truth (GT) and manual jobs in a
separate row, with GT tags marked for easy identification.
- Enhanced tag highlighting in the annotation interface to better
indicate conflicts.

- **Style**
- Implemented new styles for frame tags to improve visual distinction
when highlighted.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Kirill Lakhov <kirill.9992@gmail.com>
Co-authored-by: Maxim Zhiltsov <zhiltsov.max35@gmail.com>

* Fixed vertical polylines difficult to select (#7860)

* Make `generate_tests.py` work with relative `--apps-dir` values (#7851)

In #7806 I goofed and made the `--apps-dir` option work only with
absolute paths. This patch fixes that.

* Fixed cannot read property 'annotations' of null (#7857)

* [GSoC2024] Added quality reporting for Tag annotations (#7582)

Fixes #7424 

This PR adds quality computations for Tag annotations.

* Avoid fetching a list of shapes/tags from db, optimized fetching tracks (#7852)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [ ] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [x] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit


- **Refactor**
- Updated the method for counting objects in analytics reports to
improve accuracy.
- Made internal methods for initializing tags, shapes, and tracks
publicly accessible, enhancing external usability.

- **Bug Fixes**
	- Fixed import paths for better module integration and reliability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Prevent losing tracked attributes when moving to a project (#7863)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Improved object tracking by adding a new model
`TrackedShapeAttributeVal` for enhanced performance and accuracy.
- Resolved issue of lost tracked attribute values when moving tasks to
projects.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Prepare release v2.13.0

* Update develop after v2.13.0

* Remove tasks by projectId from state after deleting project (#7854)

* helm-chart: prevent Traefik from ignoring the backend ingress rule (#7859)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->
There is a condition that may occur during Kubernetes deployment, where
the frontend service already has an endpoint (i.e. the frontend pod),
but the backend service does not. For example, the backend pod may not
have started yet or the service controller may not have had time to
react to the backend pod.

In this case, when Traefik serves a request with an `/api/...` path, it
will see that it matches the `/api` rule, but since the corresponding
service has no endpoints, it will _skip_ that rule and try other rules.
And since the `/` rule matches everything, it will then route the
request to the frontend.

This is confusing and unhelpful, and more importantly, it makes health
checks return the wrong result. Since the frontend will serve
`index.html` to every request, a request to `/api/server/health/` or
`/api/server/about` will return a 200 code, even though the server isn't
actually up.

Because of this bug, I have observed weird failures in the Helm
workflow, where the "Wait for CVAT to be ready" step completes, but CVAT
is not actually ready. (FYI: The failures I've seen are actually in a
private repo, but the failure condition could occur in this repo too.
It's just more likely in a private repo, because GitHub uses smaller
runners in private repos.)

The fix is simple: use the `allowEmptyServices` Traefik setting, which
disables the rule skipping behavior. With this setting on, Traefik will
return a 503 response for backend URLs until the backend service gains
an endpoint.

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->
I deployed the Helm chart, then ran a `kubectl delete deployments.apps
cvat-backend-server` to simulate the server being unavailable. Then I
curled the `/api/server/health/` endpoint.

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [ ] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- ~~[ ] I have updated the documentation accordingly~~
- ~~[ ] I have added tests to cover my changes~~
- ~~[ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))~~
- ~~[ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))~~

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Bug Fixes**
- Fixed an issue to prevent incorrect 200 OK responses from API
endpoints before backend readiness.

- **New Features**
- Updated Helm chart to support configurations that allow empty services
in the Kubernetes Ingress provider.

- **Documentation**
- Updated version in Helm chart documentation from `0.12.0` to `0.12.1`.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Fixed calculation of metrics for analytics reports (#7144)

* Check UI does not crash if to activate an object while frame fetching (#7873)

* Fix creating chunks with original quality from png images (#7899)

* Update helm (#7894)

Added ability to specify ServiceAccount for backend pods
Removed passing of DJANGO_MODWSGI_EXTRA_ARGS env variable to server pod
Do not set database host and port env variables if they are empty

* fixed server for duplicate attribute names (#7890)

* Fixed object count in analytics for skeletons and tracks (#7883)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Bug Fixes**
- Corrected an issue where analytics reported an incorrect count of
objects for skeleton tracks/shapes.
- Fixed a bug where the analytic report consistently showed one less
object for tracks than the actual count.

- **Improvements**
- Enhanced filtering logic for shapes and tracks in analytics, improving
the accuracy of annotation speed metrics.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Fix CI-nightly tests and refactoring cypress config (#7908)

* Fixed analytics report: working time rounding to minimal 1 hour is not applied to annotation speed anymore (#7898)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
Depends on #https://github.com/cvat-ai/cvat/pull/7883

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **Bug Fixes**
- Corrected an issue where analytic reports showed an incorrect count of
objects for skeleton tracks and shapes.

- **Improvements**
- Renamed metrics related to annotation speed from total to average for
jobs, tasks, and projects.
- Updated descriptions for annotation speed metrics to specify the
number of objects per hour.
  - Removed unnecessary clamping function for working time statistics.

These changes enhance the accuracy and clarity of analytic reports,
providing more meaningful insights into annotation speeds and object
counts.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Fixed exception: Cannot read properties of undefined (reading 'onBloc… (#7913)

* Fixed one way to create an empty mask (#7915)

* check creating task with video without valid keyframes

* fix before commands

* remove extra check

* Fixed updating job/task status after changing job state (#7901)

* Array.toReversed replaced by Array.reduceRight because of better comp… (#7916)

* [GSoC2024] Added additional security headers (#7752)

Added security headers for Referrer-Policy, X-Content-Type-Options.

Referring to Issue https://github.com/cvat-ai/cvat/issues/7398, Added
additional security headers. Added to address the deduction in security
score rating third party scanners.

- Referrer-Policy "strict-origin-when-cross-origin";: Limit the referrer
information sent when a user navigates away from the website

- X-Content-Type-Options "nosniff";: Prevent browsers from attempting to
MIME-sniff the content type of a response to reduce risk of XSS and
Content Injection

Co-authored-by: Roman Donchenko <rdonchen@outlook.com>

* Fixed skeleton selection algorithm (#7921)

* add rest api test

* remove extra video file

* remove unused task

* fix video file path

* Ignore ground truth jobs when compute analytics report for a task/project (#7919)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.

* Prepare release v2.14.0

* Update develop after v2.14.0

* replace test video

* formatted code

* add copy videos folder

* Update cypress version (#7929)

* Upgrade React and Antd till the latest version (#7466)

* Fixed conflicts highlight crash in case of hidden by `zOrder` objects (#7917)

* Fixed couple of not stable Cypress tests (#7937)

* Fix missing serviceName field in kvrocks (issue #7741) (#7924)

Add the serviceName field to the kvrocks StatefulSet as per the
Kubernetes specification. This change ensures that the service name is
correctly associated with the StatefulSet pods, allowing for proper DNS
resolution and service discovery within the cluster.

Fixes #7741 

### Motivation and context
The Helm installation is currently failing as reported in issue #7741 

### How has this been tested?


### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit


- **Bug Fixes**
- Resolved the issue of a missing `serviceName` field in `kvrocks`,
ensuring proper configuration and improved stability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Fix login when email domain contains capital symbols and user was created after invitation to some org (#7906)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [ ] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Bug Fixes**
- Improved email creation process to ensure the use of the normalized
email from the user object, enhancing data consistency and reducing
errors.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Fixed .ant-modal-wrapper kept after closing saving modal (#7948)

* use other method to get path

* Fix dataset downloading (#7864)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

This PR addresses several problems:
- when requesting a dataset download, it's possible to get the 500 error
with the message "The result file does not exist in export cache", which
isn't expected for this request
- when downloading the dataset the same error can be obtained if the
file is requested right before the cache expiration
- there are several
[TOCTOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use)
bugs related to dataset cache file existence checks
- under some conditions, it's possible that the export job is never
started
- the finished RQ jobs were removed automatically on result reporting
(after the client requested the result). This made it hard to debug
problems for admins, as the jobs were often removed already

This PR fixes the problems by the following:
- introduced dataset cache file locking (via redis) during reading,
writing, and removal
- the 500 error is changed to automatic reexporting attempt on export
status request
- the 500 error is changed to 404 when the file is not available for
downloading
- the exported files are now have different names for each instance
update time
- the lifetime of the exported files is now automatically prolonged on
each export request for the file (given the export is still valid)
- the deferred export jobs are now checked to have ghost dependencies.
If so, the requested job is restarted
- added several environment variables for configuration
- <s>finished RQ export jobs are not removed automatically on result
retrieval. Now, they just use the export cache lifetime instead (should
be continued in another PR)</s>

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [ ] I submit my changes into the `develop` branch
- [ ] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [ ] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Improved reliability of file handling during export and cleanup
processes.
- Introduced new functionality for managing export cache locks and
directories.

- **Bug Fixes**
- Addressed race conditions in concurrent export and cleanup operations.

- **Dependencies**
- Updated multiple packages to their latest versions for enhanced
security and performance:
    - `cryptography` to `42.0.7`
    - `django` to `4.2.13`
    - `django-health-check` to `3.18.2`
    - `freezegun` to `1.5.1`
    - `jinja2` to `3.1.4`
    - `limits` to `3.12.0`
    - `lxml` to `5.2.2`
    - `orjson` to `3.10.3`
    - Added `pottery` version `3.0.0`
    - Updated `tqdm` to `4.66.4`
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Fixed working time lost in click:element events (#7942)

* Aborted enabling black linter onsave in vscode (#7956)

* Delete extra comma (#7957)

* Fix a non-deterministic webhook test (#7952)

`test_two_project_webhooks_intersection` is supposed to trigger each
webhook once. However, the first one of these webhooks actually gets
triggered twice, because creating a task causes the project's
`updated_date` to be bumped, which triggers an `update:project` event.

The test still passes a lot of the time (I guess because the second
delivery doesn't appear immediately?), but sometimes it fails. It's very
easy to make it fail consistently, though - just add a `sleep(5)` before
the `get_deliveries` calls.

Fix this by changing the first webhook's second event to something that
will not be triggered.

* Improved `DatasetNotFound` error message (#7923)

The recent changes enhance the dataset import functionality across various dataset formats in the CVAT application by integrating specific importers from the Datumaro library. The updates streamline the detection of datasets, improve error handling, and introduce new tests to ensure robustness against incorrect file structures during import operations.

* Fix automatic `tag` annotation support (#7839)

* Update packages with vulnerability (#7951)

* Cannot set properties of undefined (setting 'serverID') (#7949)

* Fixed some deprecation warnings (#7970)

* Added license information regarding '/serverless' directory (#7967)

* Stabilized the cypress test for fix CI-nightly runs (#7966)

* Squashed `zoom:image` and `send:exception` client events (#7953)

* Fix memory consumption when exporting to azure blob storage (#7960)

Fix memory consumption when exporting to azure blob storage

* Fixed several issues related to creating tasks with cloud data (#7969)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->
@coderabbitai summary
### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [x] I have added tests to cover my changes (*partially*)
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
  - Improved media download performance with parallel downloading.
  - Enhanced file handling with the new `NamedBytesIO` class.
- Added support for specifying stop frames in task manifest generation.
  - Enhanced `DatasetImagesReader` to handle generator sources.

- **Performance Improvements**
- Optimized image download methods to use threading for faster
processing.

- **Configuration**
- Introduced new settings for maximum threads and files per thread in
cloud data downloading.

These updates enhance the flexibility, performance, and configurability
of media handling and downloading in the application.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Using dedicated event to store working time (#7958)

- Parsing JSON payloads to get `working_time` in general leads to low
performance in Clickhouse requests. This patch will not fix it right
now, but with this patch, after a period of time we may switch to new
quick approach to calculate working time.
- There will not be a lot of `send:working_time` events, we may store
this scope of events for a longer time (e.g. 5 years instead of one by
default).
- Finally storing working time in such events like `click:element` or
`send:exception`, or `debug:info` seems not logical.
- Also, the history showed, that as result in different bugs, these
events may sometime lose information about `job_id`, `task_id`, etc.

Resolved #7884

* Update README.md (#7980)

* Check non-existent cloud storage update page (#7972)

* Annotation interface documentation updated (#7947)

* Bump requests from 2.31.0 to 2.32.2 in /tests/python (#7954)

* Updated icon (#7981)

* Fixed layout on create cloud storage page (#7985)

* Prepare release v2.14.1

* Update develop after v2.14.1

* Fixed: Queued jobs are not considered in deferring logic (#7907)

* Stabilized the cypress test for fix CI-nightly runs 2 (#7971)

* Update datumaro format description (#7992)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

Skeletons are not supported in this format

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [ ] I submit my changes into the `develop` branch
- [ ] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [ ] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Documentation**
- Updated the `Datumaro 1.0` format to support `Tags` instead of
`Tracks`.
- Expanded documentation to include support for additional annotation
types like Polylines, Masks, Points, Cuboids, and Tags in both export
and import operations.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Fixed ImageBitmap memory leak (#7995)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
Resolved #7909
Resolved #7850

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [x] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Bug Fixes**
- Addressed a significant memory leak issue by ensuring `ImageBitmap`
objects are properly closed after use.
- Updated various components to handle cleanup and termination of
workers and instances correctly, preventing potential resource leaks.

- **Version Updates**
  - Updated `cvat-canvas` to version 2.20.3.
  - Updated `cvat-core` to version 15.0.6.
  - Updated `cvat-data` to version 2.1.0.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Updated documentation (one item was missing in the list of events saving triggers) (#8001)

* Prepare release v2.14.2

* Update develop after v2.14.2

* Rename kvrocks port (#8010)

Fix connection error issue in case of istio usage:
https://istio.io/v1.0/docs/setup/kubernetes/spec-requirements/#:~:text=Named%20ports%3A%20Service%20ports%20must,but%20name%3A%20http2foo%20is%20not.

* Fixed login with token without next parameter (#7999)

* Increased server health check timeout (#7993)

* Fixed: Cannot read properties of null (reading 'draw') (#7997)

* Remove unnecessary fields from the `/api/lambda/functions` response (#8004)

Remove several fields that haven't been used for one reason or another:

* `labels` and `attributes` have been replaced by `labels_v2`. Keeping
them around nearly triples the response length.

* `framework` hasn't been used by the UI since #5635, and IMO was never
useful to begin with. There are no decisions that the UI can take based
on this field, so it's essentially just a freeform text field, and we
already have a freeform text field - `description`. (Which... the UI
doesn't display either. But it could!)

Remove the `framework` field from the function descriptions as well,
since it has no other purpose.

* `state` has, as far I could determine, never been used by the UI. I
could see a field like this potentially being useful (e.g. the UI could
still display a function, but prevent it from being used if it's
unavailable), but since none of that is implemented right now, I see no
reason to have this field in the API.

* Fixed exception: State cannot be updated during editing, need to finish current editing first (#8019)

* Check creating cloud storage without manifest file (#7984)

* Number of Org Members (#8015)

Updated number of members

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [ ] I submit my changes into the `develop` branch
- [ ] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [ ] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))

### License

- [ ] I submit _my code changes_ under the same [MIT License](
https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Documentation**
  - Updated details for the Solo and Team plans on CVAT.ai:
- Solo Plan: Adjusted the number of members allowed from "up to 3
members" to "up to 2 members".
- Team Plan: Adjusted the number of members required to pay for from "4
seats (3 annotators + 1 organization owner)" to "3 seats (2 annotators +
1 organization owner)".

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

* Merge pull request from GHSA-q684-4jjh-83g6

S3 storages support user-specified endpoint URLs, and Azure storages support
user-specified connection strings (which can contain endpoint URLs), so they
are susceptible to SSRF. Make S3 and Azure requests go through smokescreen
to fix this.

AFAIK, there is no way to configure a custom URL for Google Cloud storages,
so those aren't vulnerable.

Co-authored-by: Nikita Manovich <nikita@cvat.ai>

* Merge pull request from GHSA-jpf9-646h-4px7

* Mitigate a CSRF vulnerability in export and backup-related endpoints

While Django has built-in CSRF protection (which we use), it does not cover
GET requests, and AFAICS, there is no way to force it to do that.
Unfortunately, the many endpoints that initiate dataset exports and backups
do accept GET requests _and_ initiate side effects, making them susceptible.

The proper fix for this issue would be to redesign those endpoints to use
POST requests, but a) that's more complicated, and b) we should still keep
the old endpoints for backwards compatibility.

So apply a less proper fix, which is to disable session authentication for
the affected endpoints. It's a bit complex, because in some cases
(particularly when `action=download`) we _need_ session authentication to
work, because the UI redirects the user to such endpoints.

In addition, modify the handling logic for these endpoints in order to
ensure that when `action=download`, no side effects are triggered.
Previously, `action=download` would still queue an RQ job if none existed.

Even after this, `action=download` will still have two small side effects:

* An existing RQ job will be deleted if its results are out of date.
  I don't think this is a problem, because such a job cannot be used anyway.

* A completed RQ job will be deleted too. This is a problematic design,
  but I don't think an attacker can achieve anything by exploiting this. If
  an attacker maliciously redirects the user to an `action=download` URL,
  then they'll just download the export/backup as usual.

Some tests were making export requests incorrectly, so fix them.

* Add test for the CSRF workaround

* Prepare release v2.14.3

* Update develop after v2.14.3

* Remove `ModelKind.CLASSIFIER` (#8011)

I'd like the "kind" field in the API to identify the function's
"signature", or the types of values it receives as input and produces as
output. Classifiers have the same signature as detectors, so
`classifier` is a redundant value.

Besides improving semantic purity, removing this redundant value
simplifies the UI code.

The only meaningful difference between how the UI handles classifiers,
as compared to detectors, is that it shows the word "classifier" in the
model modal, which can be helpful. But we can achieve the same thing by
examining the function's `return_type` field. This lets us give a
special label to segmentation functions, as well.

"classifier" can't actually be returned by `/api/lambda/functions`, but
it _can_ be returned by the RoboFlow/Hugging Face function API in CVAT
Enterprise. So we'll need a small compatibility shim to transform this
value to "detector" until I fix that API to stop returning it too.

* Change minio host server definition (#8032)

* Stop editing when n key pressed (#7922)

* Allowed editing in single shape annotation mode (#8017)

* Fix server cache cleanup for backups and events (#8040)

In #7864 the cache cleanup function was updated. The function was not
supposed to be called for anything except datasets, but it was called
for backups and events. This PR changes these clients to use their own
functions.

- Fixed `ValueError: Couldn't parse filename components in
'c71eba87-0914-4ccb-b883-a1bf1612fbf8.csv'` errors

* CVAT Architecture documentation update (#8031)

<!-- Raise an issue to propose your change
(https://github.com/cvat-ai/cvat/issues).
It helps to avoid duplication of efforts from multiple independent
contributors.
Discuss your ideas with maintainers to be sure that changes will be
approved and merged.
Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/).
-->

<!-- Provide a general summary of your changes in the Title above -->

### Motivation and context
<!-- Why is this change required? What problem does it solve? If it
fixes an open
issue, please link to the issue here. Describe your changes in detail,
add
screenshots. -->

### How has this been tested?
<!-- Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc. -->

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [ ] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] I have linked related issues (see [GitHub docs](

https://help.githu…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants