From 061b9974570363edbf7efb5c3f2a3ca8c2914394 Mon Sep 17 00:00:00 2001 From: Maksym Tsymbarov Date: Mon, 9 Mar 2026 14:03:47 +0100 Subject: [PATCH 1/5] Fixed resetting of validation on storeLink property --- .../home/pages/mobile/applications/mobile-app.component.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui-ngx/src/app/modules/home/pages/mobile/applications/mobile-app.component.ts b/ui-ngx/src/app/modules/home/pages/mobile/applications/mobile-app.component.ts index 3f114c7707..886cd5ab6e 100644 --- a/ui-ngx/src/app/modules/home/pages/mobile/applications/mobile-app.component.ts +++ b/ui-ngx/src/app/modules/home/pages/mobile/applications/mobile-app.component.ts @@ -109,7 +109,7 @@ export class MobileAppComponent extends EntityComponent { .addValidators(Validators.required); form.get('storeInfo.appId').addValidators(Validators.required); } else { - form.get('storeInfo.storeLink').clearValidators(); + form.get('storeInfo.storeLink').removeValidators(Validators.required); form.get('storeInfo.sha256CertFingerprints').removeValidators(Validators.required); form.get('storeInfo.appId').removeValidators(Validators.required); } From de0c2850f70956f94dbda7f72a389cac2fcdacd2 Mon Sep 17 00:00:00 2001 From: Viacheslav Klimov Date: Wed, 18 Mar 2026 16:44:08 +0200 Subject: [PATCH 2/5] Fix CSP example value to include img-src and font-src directives --- application/src/main/resources/thingsboard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml index 79bf8a9706..e82d3fd061 100644 --- a/application/src/main/resources/thingsboard.yml +++ b/application/src/main/resources/thingsboard.yml @@ -215,7 +215,7 @@ security: # - Widgets loading external resources (images, fonts, scripts) # - Dashboard embedding via iframes (if frame-ancestors is restrictive) # Use 'report-only: true' first to test the impact before enforcing. - # Example value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'" + # Example value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; frame-ancestors 'self'" content-security-policy: # Enable/disable Content-Security-Policy header. Mitigates XSS and data injection attacks enabled: "${SECURITY_HEADERS_CONTENT_SECURITY_POLICY_ENABLED:false}" From 628fe0403263381ac5e3642ac43668fb843b1604 Mon Sep 17 00:00:00 2001 From: Viacheslav Klimov Date: Thu, 19 Mar 2026 10:32:31 +0200 Subject: [PATCH 3/5] Make SsrfProtectionValidator-dependent tests more stable --- .../thingsboard/common/util/SsrfProtectionValidatorTest.java | 2 +- .../rule/engine/rest/SsrfSafeAddressResolverGroupTest.java | 2 +- .../java/org/thingsboard/rule/engine/rest/TbHttpClientTest.java | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/common/util/src/test/java/org/thingsboard/common/util/SsrfProtectionValidatorTest.java b/common/util/src/test/java/org/thingsboard/common/util/SsrfProtectionValidatorTest.java index d2d1be80c9..77f915c09c 100644 --- a/common/util/src/test/java/org/thingsboard/common/util/SsrfProtectionValidatorTest.java +++ b/common/util/src/test/java/org/thingsboard/common/util/SsrfProtectionValidatorTest.java @@ -29,7 +29,7 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatNoException; import static org.assertj.core.api.Assertions.assertThatThrownBy; -@ResourceLock("SsrfProtectionValidatorTest") // some tests mutate static additional-blocked-hosts +@ResourceLock("SsrfProtectionValidator") // to avoid race conditions when modifying SsrfProtectionValidator's static configuration public class SsrfProtectionValidatorTest { @ParameterizedTest diff --git a/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/SsrfSafeAddressResolverGroupTest.java b/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/SsrfSafeAddressResolverGroupTest.java index 99506d3d12..fc3b825d36 100644 --- a/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/SsrfSafeAddressResolverGroupTest.java +++ b/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/SsrfSafeAddressResolverGroupTest.java @@ -37,7 +37,7 @@ import java.util.concurrent.TimeUnit; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; -@ResourceLock("SsrfSafeAddressResolverGroupTest") +@ResourceLock("SsrfProtectionValidator") // to avoid race conditions when modifying SsrfProtectionValidator's static configuration class SsrfSafeAddressResolverGroupTest { private static NioEventLoopGroup eventLoopGroup; diff --git a/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbHttpClientTest.java b/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbHttpClientTest.java index 6363e1032a..a33d25b038 100644 --- a/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbHttpClientTest.java +++ b/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbHttpClientTest.java @@ -22,6 +22,7 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.parallel.ResourceLock; import org.mockito.ArgumentCaptor; import org.mockito.Mockito; import org.mockserver.integration.ClientAndServer; @@ -54,6 +55,7 @@ import static org.mockserver.integration.ClientAndServer.startClientAndServer; import static org.mockserver.model.HttpRequest.request; import static org.mockserver.model.HttpResponse.response; +@ResourceLock("SsrfProtectionValidator") // to avoid race conditions when modifying SsrfProtectionValidator's static configuration public class TbHttpClientTest { EventLoopGroup eventLoop; From 02529029c5793b97cb503aa61b451d5a41e14b49 Mon Sep 17 00:00:00 2001 From: Viacheslav Klimov Date: Thu, 19 Mar 2026 10:37:37 +0200 Subject: [PATCH 4/5] Update default CSP value covering core ThingsBoard functionality --- application/src/main/resources/thingsboard.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml index e82d3fd061..81b56aff28 100644 --- a/application/src/main/resources/thingsboard.yml +++ b/application/src/main/resources/thingsboard.yml @@ -215,12 +215,15 @@ security: # - Widgets loading external resources (images, fonts, scripts) # - Dashboard embedding via iframes (if frame-ancestors is restrictive) # Use 'report-only: true' first to test the impact before enforcing. - # Example value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; frame-ancestors 'self'" + # The default value covers core ThingsBoard functionality including OpenStreetMap, ArcGIS maps, + # solution template previews, WebSocket telemetry, and chart Web Workers. + # NOTE: Google Maps requires adding Google domains to script-src, which is not included by default. + # To add Google Maps support, append to script-src: https://maps.googleapis.com https://maps.gstatic.com content-security-policy: # Enable/disable Content-Security-Policy header. Mitigates XSS and data injection attacks enabled: "${SECURITY_HEADERS_CONTENT_SECURITY_POLICY_ENABLED:false}" - # Full CSP directive string - value: "${SECURITY_HEADERS_CONTENT_SECURITY_POLICY_VALUE:}" + # Full CSP directive string. The default value is a working policy for most ThingsBoard deployments + value: "${SECURITY_HEADERS_CONTENT_SECURITY_POLICY_VALUE:default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://img.thingsboard.io https://tile.openstreetmap.org https://*.tile.openstreetmap.org https://*.arcgis.com; font-src 'self' data:; connect-src 'self' ws: wss: https://*.arcgis.com https://*.arcgisonline.com; worker-src 'self' blob:; frame-ancestors 'self'}" # If true, uses Content-Security-Policy-Report-Only header instead — the browser # reports violations but does not enforce them. Use for testing before enforcing. report-only: "${SECURITY_HEADERS_CONTENT_SECURITY_POLICY_REPORT_ONLY:false}" From 95d2e77c827a38a182209e98959e0da9c3ca7bbd Mon Sep 17 00:00:00 2001 From: Vladyslav_Prykhodko Date: Thu, 19 Mar 2026 13:04:26 +0200 Subject: [PATCH 5/5] UI: Fixed yarn.lock --- ui-ngx/yarn.lock | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/ui-ngx/yarn.lock b/ui-ngx/yarn.lock index 190f486536..721b8b8006 100644 --- a/ui-ngx/yarn.lock +++ b/ui-ngx/yarn.lock @@ -238,18 +238,6 @@ "@angular-devkit/architect" "0.2003.20" rxjs "7.8.2" -"@angular-devkit/core@20.3.18": - version "20.3.18" - resolved "https://registry.yarnpkg.com/@angular-devkit/core/-/core-20.3.18.tgz#a079775ba6a31583a0d57813b374a6c8c997f252" - integrity sha512-zGWMjMqE8qXYr8baYCs43k9HlKz9J4Gh3Yx+7XE0uS0Y1LXzzALevSoUw7GIPdSvOriQJAEgtWE6QKssqSGltQ== - dependencies: - ajv "8.18.0" - ajv-formats "3.0.1" - jsonc-parser "3.3.1" - picomatch "4.0.3" - rxjs "7.8.2" - source-map "0.7.6" - "@angular-devkit/core@20.3.20", "@angular-devkit/core@>= 20.0.0 < 21.0.0", "@angular-devkit/core@^20.0.0": version "20.3.20" resolved "https://registry.yarnpkg.com/@angular-devkit/core/-/core-20.3.20.tgz#62278795afb05ff1c2f442387e5c3e996ac304bf"