Skip to content

v1.2.0

Choose a tag to compare

View all tags
@mpge mpge released this 18 Apr 04:21
· 81 commits to main since this release
v1.2.0
ac0af96

Security

  • SSRF: WorkflowEngine::actionSendWebhook() now validates URL scheme (http/https only) and rejects URLs that resolve to private/reserved IPs (#49)
  • ReDoS: regex injection blocked in compareValues() matches operator via safeRegexMatch() with pattern validation and a PCRE backtrack limit of 10,000 (#49)
  • Action-type injection: strict in: validation for actions.*.type in WorkflowController store/update (#49)
  • Field-access whitelist: resolveFieldValue() default case now whitelists subject, description, ticket_type, channel instead of open $ticket->{$field} access (#49)
  • Rate limiting: ticket creation 5/min, chat start 5/min, chat message 30/min (#49)
  • Audit log: workflow create/update/delete and report exports now produce AuditLog entries (#49)

Fixed

  • php artisan escalated:install no longer aborts with Target class [Escalated\Laravel\Database\Seeders\PermissionSeeder] does not exist — the seeder namespace is now registered in production autoload (#56, fixes #55)
  • Attachment serialization now includes url (#50)
  • Ticket serialization includes computed fields (#51), chat / context panel / activity fields (#52), and the previously missing workflow / workflow log computed fields (#54)
  • Expensive computed fields moved off $appends so list endpoints stay fast; now only included in detail serialization (#53)

Internal

  • CI: minimum-stability set to stable and audit.ignore added for two phpunit advisories that were preventing the resolver from selecting any compatible phpunit version (#57)

Full changelog: v1.1.0...v1.2.0

Assets 2
Loading