feat(container): update image docker.io/gotenberg/gotenberg ( 8.31.0 → 8.32.0 )

[renovate]

This PR contains the following updates:

Package	Update	Change
docker.io/gotenberg/gotenberg	minor	8.31.0 → 8.32.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

gotenberg/gotenberg (docker.io/gotenberg/gotenberg)

v8.32.0: 8.32.0

Compare Source

Breaking Changes & Security Fixes ⚠️

• Reverted SSRF defaults (breaking vs 8.31.0). 8.31.0 blocked private-IP destinations by default, which broke deployments running Gotenberg inside a private network. 8.32.0 restores the 8.30.x permissive defaults. Operators with internet-facing APIs opt into the strict posture via the new flags below.

• Rejected file:// at /forms/chromium/convert/url. Submitting url=file:///tmp/... used to let an unauthenticated caller enumerate the request working directory and read other in-flight uploads as rendered PDFs. The route now returns HTTP 400 for any file:// URL.

• Required uploaded file for image / pdf stamp and watermark sources. Twelve callsites accepted stampSource=pdf or watermarkSource=pdf with an expression pointing at any path the Gotenberg process could open, even when no file was uploaded. Handlers now return HTTP 400 unless the caller uploaded a matching file.

• Scoped file:// sub-resources to the request working directory. Crafted HTML could reference another request's file:///tmp/<reqdir>/.... The CDP request handler now restricts file:// sub-resources to the current request's directory. /convert/url and /screenshot/url reject every file:// sub-resource outright.

• Hardened Chromium against DNS rebinding. A short-TTL DNS authority could return a public IP at validation and a private IP at connect. A loopback HTTP / CONNECT proxy now sits between Chromium and the network, resolves DNS once, and pins the dial to the resolved IP. Skipped when --chromium-proxy-server or --chromium-host-resolver-rules is set.

• Filtered LibreOffice outbound fetches through a proxy. Uploaded OOXML, RTF, and ODF files can embed external URLs that LibreOffice's libcurl resolves below every Go-side SSRF filter. LibreOffice now routes every outbound fetch through an in-process forward proxy on the same gotenberg.DecideOutbound path Chromium and webhook delivery use. See the four new flags below.

• Recovered webhook async panics. High-concurrency webhooks could panic the async goroutine and crash the whole process. The goroutine now snapshots the request context and recovers any future panic through the existing error path.

New Features

• LibreOffice outbound URL filtering. Four flags mirror the Chromium and webhook layout: --libreoffice-allow-list, --libreoffice-deny-list, --libreoffice-deny-private-ips, --libreoffice-deny-public-ips. All default permissive.

• IP-class filtering on four modules. chromium, webhook, api-download-from, and libreoffice each accept matching deny-private-ips and deny-public-ips flags. All default to false.

Flag	What it does
--chromium-deny-private-ips	Reject Chromium navigations and sub-resources resolving to a non-public IP.
--chromium-deny-public-ips	Reject Chromium navigations and sub-resources resolving to a public IP.
--webhook-deny-private-ips	Reject webhook URLs (success, error, events) resolving to a non-public IP.
--webhook-deny-public-ips	Reject webhook URLs resolving to a public IP.
--api-download-from-deny-private-ips	Reject downloadFrom URLs resolving to a non-public IP.
--api-download-from-deny-public-ips	Reject downloadFrom URLs resolving to a public IP.
--libreoffice-deny-private-ips	Reject LibreOffice outbound fetches resolving to a non-public IP.
--libreoffice-deny-public-ips	Reject LibreOffice outbound fetches resolving to a public IP.

A URL matching --*-allow-list skips the IP-class check. A URL matching --*-deny-list is always rejected. Setting both deny-private-ips=true and deny-public-ips=true rejects every URL unless the allow-list matches.

Bug Fixes

• Charts print as blank rectangles (#​1531, #​1532, #​1534, #​1535): chromedp v0.15.0 suspended the BeginFrame-driven callback dispatch loop under emulatedMediaType=print. requestAnimationFrame, ResizeObserver, IntersectionObserver, CSS transitionend, and CSS animationend all stopped firing. Pinning chromedp back to v0.14.2 restores native dispatch.

• LibreOffice cached an unrecoverable first-start error (#​1538): A short --libreoffice-start-timeout timed out the first request, then every subsequent request returned the same cached error until the container restarted. The lazy-start path now retries on failure.

Chore

• Updated pdfcpu to v0.12.0.
• Switched metadata read/write to direct exiftool invocation. Removes the GPL-3.0 go-exiftool dependency.
• Bumped Go to 1.26.2.
• Updated Go dependencies.

Thanks

Thanks to @​Jalliuz (#​1527) for reporting the 8.31.0 sub-resource regression. @​notscottsmith (#​1531), @​spoltix (#​1532), @​rdelott-work (#​1534), and @​sillyas2010 (#​1535) narrowed down the chromedp print-mode regression. @​sillyas2010 also published the reproducer that pinned the bisect. @​JeremyReist2 (#​1536) flagged the go-exiftool GPL-3.0 license. @​doronbehar (#​1537) requested the pdfcpu upgrade. @​mlafon (#​1538) reported the LibreOffice supervisor cached-error bug.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[homelab-assistant]

--- HelmRelease: default/paperless-ngx Deployment: default/paperless-ngx-gotenberg

+++ HelmRelease: default/paperless-ngx Deployment: default/paperless-ngx-gotenberg

@@ -35,13 +35,13 @@

       dnsPolicy: ClusterFirst
       containers:
       - command:
         - gotenberg
         - --chromium-disable-javascript=true
         - --chromium-allow-list=file:///tmp/.*
-        image: docker.io/gotenberg/gotenberg:8.31.0@sha256:f0d86e8a1dbc7b33a5a65cb251d02bb271a48ffa989da3feb5ed7d954fe4d4b3
+        image: docker.io/gotenberg/gotenberg:8.32.0@sha256:a40c5a46b79d812ce2f5e139278163142a054050bfd1e5f162da36d3d11c7138
         name: main
         resources:
           limits:
             cpu: 3000m
             memory: 6000Mi
           requests:

[homelab-assistant]

--- cluster-apps/chongus/default/paperless/app Kustomization: default/paperless-ngx HelmRelease: default/paperless-ngx

+++ cluster-apps/chongus/default/paperless/app Kustomization: default/paperless-ngx HelmRelease: default/paperless-ngx

@@ -21,13 +21,13 @@

             command:
             - gotenberg
             - --chromium-disable-javascript=true
             - --chromium-allow-list=file:///tmp/.*
             image:
               repository: docker.io/gotenberg/gotenberg
-              tag: 8.31.0@sha256:f0d86e8a1dbc7b33a5a65cb251d02bb271a48ffa989da3feb5ed7d954fe4d4b3
+              tag: 8.32.0@sha256:a40c5a46b79d812ce2f5e139278163142a054050bfd1e5f162da36d3d11c7138
             resources:
               limits:
                 cpu: 3000m
                 memory: 6000Mi
               requests:
                 cpu: 10m