Creates missing system images from application/src/main/data/resources/images
during LTS patch startup, mirroring the upgrade-path loadSystemResources logic.
Existing system images in the DB are left untouched.
- Mark force-added entity-field filter mappings as ignored under OR so
EntityDataAdapter keeps the response shape identical to AND (applied
to both findEntityDataByQuery and validateEntityCountQuery paths).
- Skip the ON-clause filter in toLatestJoin when forceLeftJoin=true to
avoid duplicating the predicate that buildQuery already emits at the
middle layer under OR (different bound parameter names, same filter).
- Document the empty-predicate drop in buildQuery (safe under AND,
narrowing under OR) and the defensive vacuously-true return in
RepositoryUtils.checkKeyFilters.
- Explain why validateEntityCountQuery uses the nullable
getKeyFiltersOperation() rather than the OrDefault helper.
- Add regression test asserting latest[ENTITY_FIELD] under OR only
contains keys declared in entityFields.
Prevents UnrecognizedPropertyException during rolling upgrades when a
newer node writes a cached entity with an added field and an older node
reads it back. The Redis-backed TbJsonRedisSerializer now uses
JacksonUtil.IGNORE_UNKNOWN_PROPERTIES_JSON_MAPPER instead of the strict
OBJECT_MAPPER used by JacksonUtil.fromBytes.
- Restore private on TEST_SCRIPT_EXPRESSION in CalculatedFieldController
- Restore @Valid on deprecated alarms field in DeviceProfileData
- Remove broken type guard in getTestScriptDialog (AlarmRuleDefinition
DTO has no type field, causing the dialog to never open)
- Move OR filter predicates to middle-layer WHERE clause where JOIN alias
table references are visible, fixing BadSqlGrammarException
- Use alias name (e.g. alias2) instead of bare column name for entity
field predicates in middle-layer WHERE
- Propagate keyFiltersOperation through BaseEntityService optimization
path and alarm subscription contexts (TbAlarmDataSubCtx, TbAlarmCountSubCtx)
- Replace ThingsboardException with IllegalArgumentException for OR
disabled validation
- Add AlarmCountQuery 3-arg constructor for test convenience
- Add 8 new integration tests: alarm data/count OR, mixed entity field +
attribute OR, string attributes, single filter, 3-way OR, pagination,
and zero-match edge case
- Extract evaluateSingleFilter helper to avoid duplicating filter evaluation logic
- Add 3-arg checkKeyFilters overload accepting ComplexOperation parameter
- OR mode: any matching filter includes entity (short-circuit on first true)
- AND mode: all filters must match (short-circuit on first false, unchanged behavior)
- Null operation defaults to AND for backward compatibility
- Update checkFilters to pass query.getKeyFiltersOperation() through to checkKeyFilters
- Add keyFiltersOperation field to EdqsQuery base class
- Update EdqsCountQuery and EdqsDataQuery constructors to accept and propagate ComplexOperation
- Propagate keyFiltersOperationOrDefault in both toNewQuery overloads in RepositoryUtils
- Add sql.query.key-filters-or-conditions.enabled property to thingsboard.yml
- Add allowKeyFiltersOrConditions field to SystemParams
- Wire config value into SystemInfoController for /api/system/params
- Add validateKeyFiltersOperation to DefaultEntityQueryService
- Add throws ThingsboardException to EntityQueryService interface methods
- Reject OR queries with 400 when feature is disabled
- Add keyFiltersOperation field with null-safe getKeyFiltersOperationOrDefault()
- Add 3-arg constructor to EntityCountQuery for explicit operation
- Add 6-arg constructors to AbstractDataQuery and EntityDataQuery
- Add 7-arg constructor to AlarmDataQuery
- Update next() methods to propagate keyFiltersOperation
- Update buildEntityDataQuery methods to pass operation from alarm queries
- Extract shared parseHostEntries() to deduplicate setAllowedHosts/setAdditionalBlockedHosts
- Add isHostnameAllowed() and propagate hostname allow-list check in resolver
- Move OAuth2 custom mapper URL SSRF validation to save-time (Oauth2ClientDataValidator)
- Remove runtime SSRF checks from CustomOAuth2ClientMapper and GithubOAuth2ClientMapper
(custom URL now validated at save; GitHub emailUrl is server config, not user input)
- Replace example.com with 8.8.8.8 in resolver test to avoid DNS dependency
Add SsrfSafeAddressResolverGroup that validates resolved IPs at Netty
connection time, eliminating the TOCTOU gap where DNS rebinding domains
resolve to safe IPs during validation but to private/metadata IPs at
connection time. Disable HTTP redirects in TbHttpClient to prevent
redirect-based SSRF bypass.
Add allow-list support (SSRF_ALLOWED_HOSTS) to SsrfProtectionValidator
so customers with IoT devices on private networks can whitelist specific
addresses or CIDR ranges while keeping SSRF protection enabled.
Add SSRF validation to MS Teams webhook, custom OAuth2 mapper, and
GitHub OAuth2 mapper endpoints. Log a warning when SSRF protection is
disabled.
- Extract RuleChainDetailsDao from RuleChainDao to reuse JpaAbstractDao
save logic (proper @Version increment, flush, detach)
- Reduce notes column size from 10MB to 1MB in schema and migration
- Catch "value too long" DB error with user-friendly message
- Pass tenantId consistently through the details DAO API
- Exclude content/markdownCss from RuleChainNote toString
- Add tests: save/load notes, update notes, preserve notes on
RuleChain save, remove notes, exceeded size limit
Rename `openConnections`/`connectionsCounter` to `statsName`/`number`
to match DefaultTransportService and avoid misleading future readers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Viacheslav Klimov
dashevchenko
Sergey Matvienko