π Security
Jira
- Prevented caller-supplied
projects_filtervalues from injecting JQL operators that could escape the configured project allowlist. Filter values with JQL syntax are now quoted as literals, and generated project clauses are explicitly grouped. (#1450)
Transport
- Kept caller-controlled destinations on the direct DNS-pinned connection path when deployment proxies are configured, so proxy-side DNS resolution cannot bypass the SSRF rebinding defense. Operator-configured Jira, Confluence, OAuth gateway, and allowlisted hosts continue to support proxies. (#1450)
- Resolved relative and scheme-relative redirect locations against the response URL before SSRF validation, restoring safe same-host redirects while continuing to block unsafe destinations. (#1450)
Full Changelog: v0.22.0...v0.22.1