fix: add output encoding in Create.php#11882
Open
orbisai0security wants to merge 10000 commits intoappwrite:devfrom
Open
Conversation
…y reorder hydration, and add E2E tests
Updated the README to enhance clarity and remove outdated information.
Updated the description of Appwrite to emphasize its open-source nature and capabilities. Added detailed product descriptions for Appwrite services.
Reduced the ENQUEUE_TIMER constant from 60 seconds to 30 seconds. Modified the condition for currentTick to use less than or equal to (<=) instead of less than (<) for better accuracy in scheduling. Changed return statement to continue in case of missing schedule key to enhance flow control.
…ec-docs [codex] Fail specs when referenced docs are missing
…gration-flake [codex] Fix flaky VectorsDB metadata bootstrap in migrations
Wrap only cache load/save calls in try-catch instead of the entire cache block. This prevents OrderException, QueryException, and Timeout from $find() being caught and retried, which would double DB calls and hide real query errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…pseclib-bump Bump phpseclib to 3.0.51 for CVE-2026-40194
…loyment-resource-type-optional Make rule deploymentResourceType optional for non-deployment rules
…ompose-executor
…1876) Http::execute() now requires a Response parameter as of utopia-php/http 0.34.20. The GraphQL resolver was only passing route and request, causing all GraphQL queries to fail with "Internal server error". Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This reverts commit 8deafca.
utopia-php/http 0.34.20 added a guard that skips the action if $response->isSent() is true. In batched GraphQL requests the resolver reuses a single Response across all queries — after the first query's action calls send(), subsequent queries hit the guard, their actions are skipped, and stale/null payloads are returned. Add Response::clearSent() to the Appwrite Response subclass (which can access the protected $sent property from the parent) and call it in Resolvers::resolve() before each execute(). This ensures each batched query gets a fresh sent state while keeping the guard active for normal request paths. Also bumps utopia-php/http from 0.34.19 to 0.34.20 so CE CI tests against the same version used by downstream consumers (cloud). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
(fix): cache fallback
…t-reset fix: reset response sent state between batched GraphQL queries
…ls-apis Feat: services protocols public apis
added reset in db worker for queue for realtime
The URL attribute Create and Update endpoints in the Databases module accept URL values stored as collection attributes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix high severity security issue in
src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Attributes/URL/Create.php.Vulnerability
V-003src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Attributes/URL/Create.php:46Description: The URL attribute Create and Update endpoints in the Databases module accept URL values stored as collection attributes. If URL values are not strictly validated to permit only http and https schemes, attackers with write access can store javascript: protocol URLs or data: URIs. When these values are later retrieved and rendered in a frontend application without proper output encoding (e.g., as an href or src attribute), they can trigger stored cross-site scripting (XSS) or server-side request forgery (SSRF) attacks. Confidence is low pending manual review of the full validation middleware chain.
Changes
app/init/database/formats.phpsrc/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Attributes/URL/Create.phpsrc/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Attributes/URL/Update.phpVerification
Automated security fix by OrbisAI Security