Skip to content

v0.22.1

Latest

Choose a tag to compare

@sooperset sooperset released this 11 Jul 04:28

πŸ”’ Security

Jira

  • Prevented caller-supplied projects_filter values from injecting JQL operators that could escape the configured project allowlist. Filter values with JQL syntax are now quoted as literals, and generated project clauses are explicitly grouped. (#1450)

Transport

  • Kept caller-controlled destinations on the direct DNS-pinned connection path when deployment proxies are configured, so proxy-side DNS resolution cannot bypass the SSRF rebinding defense. Operator-configured Jira, Confluence, OAuth gateway, and allowlisted hosts continue to support proxies. (#1450)
  • Resolved relative and scheme-relative redirect locations against the response URL before SSRF validation, restoring safe same-host redirects while continuing to block unsafe destinations. (#1450)

Full Changelog: v0.22.0...v0.22.1