CeSGO Dashboard 2.1.0

Security fixes

• Add SSRF protection for webhook notifications with the new configuration option WEBHOOK_ALLOW_PRIVATE_NETWORKS
• Prevent unsafe deserialization in the database session handler
• Restrict invite signup input to expected fields only to prevent parameter injection
• Add missing permission checks in several API procedures
• Validate user external ID values
• Check file attachment ownership before deletion
• Prevent SSRF bypasses by controlling HTTP client redirect behavior

Improvements

• Improve accessibility by increasing text/background contrast in the light theme

Dependencies and build

• Upgrade PHPUnit to version 12
• Update several GitHub Actions and dependencies
• Update dependency pimple/pimple to version 3.6.2

Security Improvements

• Added missing authorization checks in multiple controllers.
• Enforced project-level authorization checks where they were missing.
• Improved plugin security by enforcing installer checks in PluginController actions.
• Enabled Parsedown safe mode to add an extra layer of protection to Markdown rendering against unsafe content.
• Added CSRF protection for project role changes and enforced JSON content type for related endpoints.

Maintenance & Tooling

• Updated the PHPUnit version used for the test suite.
• Switched the GitHub workflow to use the php-cs-fixer Docker image instead of installing it via Composer.

Dependencies

• Updated pimple/pimple from version 3.5.0 to 3.6.1.

Security

• Fixed an LDAP injection issue by properly escaping placeholders in LDAP queries.
• Prevented protocol-relative URLs (//example.com) from being used as login redirect targets.
• Added a new TRUSTED_PROXY_NETWORKS configuration option to explicitly define trusted reverse proxy networks.
• Introduced an optional security feature to block private network access when fetching external web links (configurable).

Improvements

• Restored Ctrl + Enter keyboard shortcut for submitting the task creation form.
• Updated translations for multiple languages.

Maintenance

• Added a GitHub Actions workflow to mirror the repository to Codeberg.
• Removed an outdated tests/Dockerfile.
• Regenerated Composer autoload files.

Build & Dependencies

• Updated Alpine Linux base image from 3.22 to 3.23.

• Updated GitHub Actions dependencies:

  • actions/checkout from v5 to v6
  • actions/upload-artifact from v4 → v5 → v6

• fix: handle Windows-style paths in sanitize_path function
• feat(locale): added missing German translation phrases
• feat(locale): added Arabic translation
• feat(api): add board, rss and ical public links to the API response
• feat: display sub-tasks completion in numbers (x/y) alongside percentage
• feat: add basic support for right-to-left (RTL) languages
• chore: update .gitattributes to ignore additional configuration files
• build(deps): bump actions/setup-python from 5 to 6
• build(deps): bump actions/checkout from 4 to 5

• refactor: add namespace to test files
• fix: the $escape parameter must be provided in PHP 8.4 for CSV functions
• fix: sanitize and validate uploaded files path
• fix: do not load RememberMeAuth provider when REMEMBER_ME_AUTH is false
• fix: avoid PHP warning when external user creation is disabled
• feat!: remove file cache driver to avoid using unserialize()
• feat!: ignore legacy events serialized with PHP due to potential security issues
• feat: add new actions: TaskAssignCurrentUserColumnIfNoUserAlreadySet and TaskAssignToUserOnCreationInColumn
• feat: Add new pdf() method in Core\Http\Response
• ci: run php-cs-fixer on GitHub Actions
• ci: remove unnecessary labels from issue templates
• chore: replace deprecated gh-cli feature source in devcontainer configuration