Field-level @JsonIgnoreProperties is a serialization concern that should
not pollute global OpenAPI schemas. Strip it in mapAwareConverter before
ModelResolver sees it. Remove CalculatedField pre-registration as it
loses descriptions on $ref properties.
Pre-registering abstract intermediate types pulls in their full
inheritance chain (UUIDBased, HasUUID) as broken $ref entries.
Leave *Object schemas for these types as-is.
- Remove *Object duplicate schemas when base schema exists
- Pre-register CalculatedField, ContactBased, HasId to prevent
resolution-order issues with @JsonIgnoreProperties
- Deduplicate identical inline allOf entries
- Replace oneOf in additionalProperties.items with base type $ref
Springdoc creates duplicate schemas with an "Object" suffix when a
discriminated type is resolved through multiple paths. Remove identical
duplicates and replace inline oneOf in additionalProperties.items with
base type $ref for Map<K, List<PolymorphicType>> fields.
- Restore private on TEST_SCRIPT_EXPRESSION in CalculatedFieldController
- Restore @Valid on deprecated alarms field in DeviceProfileData
- Remove broken type guard in getTestScriptDialog (AlarmRuleDefinition
DTO has no type field, causing the dialog to never open)
Move test script execution logic from controllers to TbCalculatedFieldService,
eliminating the dependency of AlarmRuleController on CalculatedFieldController.
Simplify entity type filtering in getAlarmRules. Add AlarmRuleControllerTest
covering all endpoints.
Remove <pkg.skip.bootjar>false</pkg.skip.bootjar> from all child
module <properties> blocks. The root POM already defaults it to false,
and child declarations block the skip-pkg profile override, so
-Dpkg.skip=true was never actually skipping spring-boot:repackage.
Also remove the unused surefire.version property (superseded by
maven-surefire-plugin.version).
Introduces four independent flags to skip individual packaging artifacts:
-Dpkg.skip.bootjar=true skip spring-boot repackage (*-boot.jar)
-Dpkg.skip.deb=true skip Gradle buildDeb + Maven attach-artifact
-Dpkg.skip.rpm=true skip Gradle buildRpm
-Dpkg.skip.zip=true skip maven-assembly-plugin Windows ZIP
Adds -Dpkg.skip=true as a single convenience flag that sets all four
at once. msa/pom.xml mirrors the skip-pkg profile to override its own
<pkg.deb.phase>package</pkg.deb.phase> property (child POM properties
have higher priority than parent profile properties in Maven).
msa/* docker modules used ${basedir}/../.. (non-canonical) for main.dir.
maven-enforcer-plugin 3.5.0's osIndependentNameMatch() compares
file.toURI() vs file.getCanonicalFile().toURI() — these differ when the
path contains '..', causing RequireFilesExist to report false-negative.
Fix: replace ${basedir}/../.. with ${maven.multiModuleProjectDirectory}.
- Deduplicate forEach iteration over both session maps (HashSet)
- Use null-safe getEdgeId() instead of getEdge().getId() in remove()
- Add defensive null checks on getState() in onConfigurationUpdate and destroyAndMarkAsZombieIfFailed
- Add null check on pendingMsgsMap.get() in onDownlinkResponse
- Move scheduleAtFixedRate to @PostConstruct in DefaultZombieSessionCleanupService
- Fix misleading "kafka sessions" log message to "zombie sessions"
- Chain IOException in GrpcServer RuntimeException
- Guard against race condition on removeByEdgeId in onEdgeDisconnect
- Rename shadowed parameter in shutdownExecutorSafely
Route DataAccessException and PersistenceException (including bare
ConstraintViolationException) to a unified handler that extracts the
constraint name and returns "Constraint violation: <name>" instead of
the raw PSQLException message. Other DB errors continue to return the
generic "Database error" response.
Adds DaoUtil.extractConstraintViolation helper and an integration test
that verifies no SQL details leak when an FK constraint is violated.
Keep both save-time validation (Oauth2ClientDataValidator) and runtime
re-validation as defense-in-depth: DNS records can change between config
save and OAuth2 login, creating a TOCTOU gap.
- Use kebab-case 'report-only' in web-ui configs to match thingsboard.yml
- Add log.warn for unrecognized X-Frame-Options values in customizer
- Replace @Configuration with @Component on HttpSecurityHeadersProperties
- Add comment explaining '!== false' vs truthiness pattern in server.ts
- Extract shared parseHostEntries() to deduplicate setAllowedHosts/setAdditionalBlockedHosts
- Add isHostnameAllowed() and propagate hostname allow-list check in resolver
- Move OAuth2 custom mapper URL SSRF validation to save-time (Oauth2ClientDataValidator)
- Remove runtime SSRF checks from CustomOAuth2ClientMapper and GithubOAuth2ClientMapper
(custom URL now validated at save; GitHub emailUrl is server config, not user input)
- Replace example.com with 8.8.8.8 in resolver test to avoid DNS dependency
Fix security issues from penetration test report:
- M2: Add configurable X-Frame-Options and CSP headers (disabled by default)
- L2: Add X-Content-Type-Options and Referrer-Policy headers (enabled by default)
- L3: Make CORS allowed-origin-patterns configurable via TB_CORS_* env vars
Root cause: ThingsboardSecurityConfiguration called .disable() on the entire
HeadersConfigurer, which removed ALL security headers including Cache-Control.
Fix uses defaultsDisabled() + selective header enablement via a new
HttpSecurityHeadersCustomizer component.
Both Spring Boot (tb-node) and Express.js (web-ui) share the same
SECURITY_HEADERS_* environment variables for consistent configuration
across monolith and microservice deployments.
Add SsrfSafeAddressResolverGroup that validates resolved IPs at Netty
connection time, eliminating the TOCTOU gap where DNS rebinding domains
resolve to safe IPs during validation but to private/metadata IPs at
connection time. Disable HTTP redirects in TbHttpClient to prevent
redirect-based SSRF bypass.
Add allow-list support (SSRF_ALLOWED_HOSTS) to SsrfProtectionValidator
so customers with IoT devices on private networks can whitelist specific
addresses or CIDR ranges while keeping SSRF protection enabled.
Add SSRF validation to MS Teams webhook, custom OAuth2 mapper, and
GitHub OAuth2 mapper endpoints. Log a warning when SSRF protection is
disabled.
Apply CustomTranslatePipe to unitTitle and title properties in analogue
and digital gauge widgets, and add customTranslation to the label widget
controller script to support i18n translations.
- Extract RuleChainDetailsDao from RuleChainDao to reuse JpaAbstractDao
save logic (proper @Version increment, flush, detach)
- Reduce notes column size from 10MB to 1MB in schema and migration
- Catch "value too long" DB error with user-friendly message
- Pass tenantId consistently through the details DAO API
- Exclude content/markdownCss from RuleChainNote toString
- Add tests: save/load notes, update notes, preserve notes on
RuleChain save, remove notes, exceeded size limit
dashevchenko
Viacheslav Klimov
IrynaMatveieva
Sergey Matvienko
Nikita Mazurenko
Volodymyr Babak
Vladyslav_Prykhodko