- Extract shared parseHostEntries() to deduplicate setAllowedHosts/setAdditionalBlockedHosts
- Add isHostnameAllowed() and propagate hostname allow-list check in resolver
- Move OAuth2 custom mapper URL SSRF validation to save-time (Oauth2ClientDataValidator)
- Remove runtime SSRF checks from CustomOAuth2ClientMapper and GithubOAuth2ClientMapper
(custom URL now validated at save; GitHub emailUrl is server config, not user input)
- Replace example.com with 8.8.8.8 in resolver test to avoid DNS dependency
Add SsrfSafeAddressResolverGroup that validates resolved IPs at Netty
connection time, eliminating the TOCTOU gap where DNS rebinding domains
resolve to safe IPs during validation but to private/metadata IPs at
connection time. Disable HTTP redirects in TbHttpClient to prevent
redirect-based SSRF bypass.
Add allow-list support (SSRF_ALLOWED_HOSTS) to SsrfProtectionValidator
so customers with IoT devices on private networks can whitelist specific
addresses or CIDR ranges while keeping SSRF protection enabled.
Add SSRF validation to MS Teams webhook, custom OAuth2 mapper, and
GitHub OAuth2 mapper endpoints. Log a warning when SSRF protection is
disabled.
Tests that read shared static state (e.g. testAllowedUrls with 8.8.8.8)
could run concurrently with tests that mutate it (e.g. testAdditionalBlockedSingleIp),
causing intermittent failures. Class-level @ResourceLock serializes all tests.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move TestDbCallbackExecutor from rule-engine test sources to
common/util main sources as DirectListeningExecutor, making it
available to all modules. Convert to an enum singleton since the
executor is stateless. Widen JpaAbstractDaoListeningExecutorService
service field type from JpaExecutorService to ListeningExecutor to
allow injecting DirectListeningExecutor in tests. Fix
AbstractChunkedAggregationTimeseriesDaoTest NPE by injecting the
direct executor into the spy.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Experiments with CSV
* CSV Loader v1
* EDQ tests
* Volatile variables instead of final
* Improvements
* updated loader with new entities
* Fix double memory usage issue
* Basic data structures and load
* Minor improvements
* Snappy + Large String reuse
* added EntityFields classes for each entity
* Basic implementation
* Minor improvements to KeyFilters
* implemented RepositoryUtils.checkKeyFilters
* Generic query implementation
* New structure
* Refactoring and few processors implementation
* extended DeviceData with shared/client attributes and device profile
* Minor refactoring of attribute scopes
* DeviceTypeFilter support
* Strong types of fields for each entity data class
* DeviceType and AssetType filters
* EntityView and Edge queries
* Relations Query
* Relation Query Implementation
* Update EDQS module version
* Sync with EDQS via Kafka
* EDQS: major refactoring
* EDQS API requests via Kafka
* EDQS: full sync with the database
* Refactoring for EDQS sync
* EDQS: major refactoring and new features
* EDQS refactoring, count query support, fix tests
* EDQS: refactoring for query processors
* Fix EDQS pom version
* Cleanup edqs.yml
* EDQS: tenant partitioning strategy; refactoring
* EDQS: latest events queue
* EDQS: support for monolith setup; RocksDB; other improvements
* EDQS: merge sync and events topics, introduce state topic
* EDQS: dynamic repartitioning
* implemented entity data query filters for edqs
* EdqsEntityQueryControllerTest - use in-memory queue
* edqs-filter fixes, added test
* EDQS: blob entity support
* EdqsEntityQueryControllerTest - use in-memory queue
* Use DummyEdqsService when disabled
* Fixes for EDQS
* Refactoring for EDQS tests
* Fix edqs requests partitioning
* EDQS: Fix for attributes handling
* Fix attributes saving in EntityServiceTest
* EDQS: refactoring, fixes
* Minor refactoring for query processor
* added ownerName/ownerType support
* fixed relation query processor
* fixed EntityServiceTest
* refactoring
* added support for parentId for relation query result
* Get rid of EntityNameFetcher
* Add fixme for relation query processor
* db restore with select all edqs fields
* fixed entity deletion
* fixed FieldUtils with new EntityFields
* dao method renamed
* EDQS: instance groups with same partitions; automatic sync; multiple fixes
* Refactoring for EDQS sync
* EDQS: refactoring
* Fix startup with Kafka
* fixed EntityQueryControllerTest
* fixed EdqsEntityServiceTest
* Separate queue admin for EDQS request template
* Implement new EDQS partitioning strategy
* EDQS: multiple fixes and refactoring
* Add mock EdqsRocksDb beans to tests
* added edqs stats for inmemory/grafana
* fixed filter tests
* Update todos
* Refactoring for QueueConfig
* Improvements and refactoring for EDQS consumers
* implemented TODOs
* test fixes
* Consume state topic up to end offsets
* edqs stats refactoring
* EDQS: cleanup on partitions removal; refactoring
* EDQS: minor refactoring
* EDQS: remove CSV loader
---------
Co-authored-by: Andrii Shvaika <ashvayka@thingsboard.io>
Co-authored-by: dashevchenko <dshevchenko@thingsboard.io>
Viacheslav Klimov
Dmytro Skarzhynets
dshvaika
IrynaMatveieva
Andrii Landiak
YevhenBondarenko
Igor Kulikov
Oleksandra Matviienko
Andrii Shvaika
Dmytro Skarzhynets