Release OpenProject 17.0.6

Author: oliverguenther

app/controllers/repositories_controller.rb

@@ -446,11 +446,11 @@ def raw_or_to_large_or_non_text(content, path)
   end
 
   def send_raw(content, path)
-    # Force the download
-    send_opt = { filename: filename_for_content_disposition(path.split("/").last) }
-    send_type = OpenProject::MimeType.of(path)
-    send_opt[:type] = send_type.to_s if send_type
-    send_data content, send_opt
+    # Force the download as binary to prevent CSP bypass
+    send_data content,
+              filename: filename_for_content_disposition(path.split("/").last),
+              type: "application/octet-stream",
+              disposition: :attachment
   end
 
   def render_text_entry

app/helpers/repositories_helper.rb

@@ -114,13 +114,13 @@ def calculate_folder_action(tree)
   end
 
   def render_changes_tree(tree)
-    return "" if tree.nil?
+    return "".html_safe if tree.nil?
 
-    output = +"<ul>"
-    tree.keys.sort.each do |file|
-      style = +"change"
+    items = tree.keys.sort.flat_map do |file|
+      style = "change"
       text = File.basename(file)
-      if s = tree[file][:s]
+
+      if (s = tree[file][:s])
         style += " folder"
         path_param = without_leading_slash(to_path_param(@repository.relative_path(file)))
         text = link_to(h(text),
@@ -129,38 +129,40 @@ def render_changes_tree(tree)
                                                                    rev: @changeset.identifier),
                        title: I18n.t(:label_folder))
 
-        output += "<li class='#{style} icon icon-folder-#{calculate_folder_action(s)}'>#{text}</li>"
-        output += render_changes_tree(s)
-      elsif c = tree[file][:c]
+        folder_li = content_tag(:li, text,
+                                class: "#{style} icon icon-folder-#{calculate_folder_action(s)}")
+        [folder_li, render_changes_tree(s)]
+      elsif (c = tree[file][:c])
         style += " change-#{c.action}"
         path_param = without_leading_slash(to_path_param(@repository.relative_path(c.path)))
 
-        unless c.action == "D"
-          title_text = changes_tree_change_title c.action
+        text_parts = []
 
+        unless c.action == "D"
           text = link_to(h(text),
                          entry_revision_project_repository_path(project_id: @project,
                                                                 repo_path: path_param,
                                                                 rev: @changeset.identifier),
-                         title: title_text)
+                         title: changes_tree_change_title(c.action))
         end
 
-        text << raw(" - #{h(c.revision)}") if c.revision.present?
+        text_parts << text
+        text_parts << " - " << h(c.revision) if c.revision.present?
 
         if c.action == "M"
-          text << raw(" (" + link_to(I18n.t(:label_diff),
-                                     diff_revision_project_repository_path(project_id: @project,
-                                                                           repo_path: path_param,
-                                                                           rev: @changeset.identifier)) + ") ")
+          text_parts << " (" << link_to(I18n.t(:label_diff),
+                                        diff_revision_project_repository_path(project_id: @project,
+                                                                              repo_path: path_param,
+                                                                              rev: @changeset.identifier)) << ") "
         end
 
-        text << raw(" " + content_tag("span", h(c.from_path), class: "copied-from")) if c.from_path.present?
+        text_parts << " " << content_tag(:span, c.from_path, class: "copied-from") if c.from_path.present?
 
-        output += changes_tree_li_element(c.action, text, style)
+        [changes_tree_li_element(c.action, safe_join(text_parts), style)]
       end
-    end
-    output += "</ul>"
-    output.html_safe
+    end.compact
+
+    content_tag(:ul, safe_join(items))
   end
 
   def to_utf8_for_repositories(str)
@@ -296,19 +298,16 @@ def changes_tree_change_title(action)
 
   def changes_tree_li_element(action, text, style)
     icon_name = case action
-                when "A"
-                  "icon-add"
-                when "D"
-                  "icon-delete"
-                when "C"
-                  "icon-copy"
-                when "R"
-                  "icon-rename"
+                when "A" then "icon-add"
+                when "D" then "icon-delete"
+                when "C" then "icon-copy"
+                when "R" then "icon-rename"
                 else
                   "icon-arrow-left-right"
                 end
 
-    "<li class='#{style} icon #{icon_name}'
-         title='#{changes_tree_change_title(action)}'>#{text}</li>"
+    content_tag(:li, text,
+                class: "#{style} icon #{icon_name}",
+                title: changes_tree_change_title(action))
   end
 end

app/models/custom_field.rb

@@ -32,6 +32,8 @@ class CustomField < ApplicationRecord
   include CustomField::OrderStatements
   include CustomField::CalculatedValue
 
+  normalizes :name, with: OpenProject::RemoveAsciiControlCharacters
+
   has_many :custom_values, dependent: :delete_all
   # WARNING: the inverse_of option is also required in order
   # for the 'touch: true' option on the custom_field association in CustomOption

config/initializers/00-load_plugins.rb

@@ -31,7 +31,16 @@
 # TODO: check if this can be postponed and if some plugins can make use of the ActiveSupport.on_load hooks
 
 # Loads the core plugins located in lib_static/plugins
-Dir.glob(Rails.root.join("lib_static/plugins/*")).each do |directory|
+CORE_PLUGINS = %w[
+  acts_as_attachable
+  acts_as_customizable
+  acts_as_event
+  acts_as_journalized
+  acts_as_searchable
+  verification
+].freeze
+
+CORE_PLUGINS.map { |name| Rails.root.join("lib_static/plugins", name).to_s }.each do |directory|
   if File.directory?(directory)
     lib = File.join(directory, "lib")
 

db/migrate/20260313120000_strip_control_characters_from_custom_field_names.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+class StripControlCharactersFromCustomFieldNames < ActiveRecord::Migration[7.1]
+  def up
+    execute <<~SQL.squish
+      UPDATE custom_fields
+      SET name = regexp_replace(name, E'[\\x01-\\x1F\\x7F]', '', 'g')
+      WHERE name ~ E'[\\x01-\\x1F\\x7F]'
+    SQL
+  end
+
+  def down
+    # Irreversible — stripped characters cannot be restored
+  end
+end

docker/prod/Dockerfile

@@ -141,10 +141,7 @@ ENV PGDATA=/var/openproject/pgdata
 COPY --from=openproject/gosu /go/bin/gosu /usr/local/bin/gosu
 RUN chmod +x /usr/local/bin/gosu && gosu nobody true
 
-COPY --from=openproject/hocuspocus:17.2.0 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus
-# Keep node/npm in all-in-one for bundled hocuspocus even when BIM support is disabled.
-COPY --from=build-base /usr/local/bin/node /usr/local/bin/node
-COPY --from=build-base /usr/local/lib/node_modules /usr/local/lib/node_modules
+COPY --from=openproject/hocuspocus:17.0.6 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus
 
 RUN ./docker/prod/setup/postinstall-onprem.sh && \
   ln -sf ../lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \

docs/release-notes/16-6-9/README.md

@@ -0,0 +1,89 @@
+---
+title: OpenProject 16.6.9
+sidebar_navigation:
+    title: 16.6.9
+release_version: 16.6.9
+release_date: 2026-03-16
+---
+
+ # OpenProject 16.6.9
+
+ Release date: 2026-03-16
+
+ We released OpenProject [OpenProject 16.6.9](https://community.openproject.org/versions/2285).
+ The release contains several bug fixes and we recommend updating to the newest version.
+ Below you will find a complete list of all changes and bug fixes.
+
+<!-- BEGIN CVE AUTOMATED SECTION -->
+
+## Security fixes
+
+
+
+### CVE-2026-32698 - SQL Injection via Custom Field Name can be chained to Remote Code Execution
+
+OpenProject is vulnerable to an SQL injection attack via a custom field&#39;s name. When that custom field was used in a Cost Report, the custom field&#39;s name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report.&nbsp;
+
+
+
+As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced.
+
+
+
+Together with another bug in the _Repositories_ module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application.
+
+
+
+As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above.
+
+
+
+This vulnerability was reported by user [sam91281](https://yeswehack.com/hunters/sam91281) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-jqhf-rf9x-9rhx](https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx)
+
+
+
+### CVE-2026-32703 - Repository files are served with the MIME type allowing them to be used to bypass Content Security Policy
+
+When using the Repositories module in a project, it was possible to access the raw files via the browser with a URL like `/projects/{project}/repository/revisions/{commit_id}/raw/{file}.js.raw`. For those files, the MIME type was detected via the filename extension. For JavaScript and CSS files those files were then served from the same domain name as the application with the correct MIME type for active content and could be used to bypass the Content Security Policy. Together with other areas, where unsanitized HTML was served, this allowed persistent XSS attacks.
+
+
+
+The MIME type detection for Repository files has been removed and files are served as `application/octet-stream` which will block their execution via the Content Security Policy.
+
+
+
+Two places that could be used to abuse this vulnerability have been fixed:
+
+
+
+The Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted.
+
+
+
+When a work package name contains HTML content and the work package is attached to a meeting, the work package name is rendered in the activities feed without proper sanitation.
+
+
+
+All of those vulnerabilities were reported by user [sam91281](https://yeswehack.com/hunters/sam91281) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-p423-72h4-fjvp](https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp)
+
+
+<!-- END CVE AUTOMATED SECTION -->
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->

docs/release-notes/17-0-6/README.md

@@ -0,0 +1,89 @@
+---
+title: OpenProject 17.0.6
+sidebar_navigation:
+    title: 17.0.6
+release_version: 17.0.6
+release_date: 2026-03-16
+---
+
+ # OpenProject 17.0.6
+
+ Release date: 2026-03-16
+
+ We released OpenProject [OpenProject 17.0.6](https://community.openproject.org/versions/2286).
+ The release contains several bug fixes and we recommend updating to the newest version.
+ Below you will find a complete list of all changes and bug fixes.
+
+<!-- BEGIN CVE AUTOMATED SECTION -->
+
+## Security fixes
+
+
+
+### CVE-2026-32698 - SQL Injection via Custom Field Name can be chained to Remote Code Execution
+
+OpenProject is vulnerable to an SQL injection attack via a custom field&#39;s name. When that custom field was used in a Cost Report, the custom field&#39;s name was injected into the SQL query without proper sanitation. This allowed an attacker to execute arbitrary SQL commands during the generation of a Cost Report.&nbsp;
+
+
+
+As custom fields can only be generated by users with full administrator privileges, the attack surface is somewhat reduced.
+
+
+
+Together with another bug in the _Repositories_ module, that used the project identifier without sanitation to generate the checkout path for a git repository in the filesystem, this allowed an attacker to checkout a git repository to an arbitrarily chosen path on the server. If the checkout is done within certain paths within the OpenProject application, upon the next restart of the application, this allows the attacker to inject ruby code into the application.
+
+
+
+As the project identifier cannot be manually edited to any string containing special characters like dots or slashes, this needs to be changed via the SQL injection described above.
+
+
+
+This vulnerability was reported by user [sam91281](https://yeswehack.com/hunters/sam91281) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-jqhf-rf9x-9rhx](https://github.com/opf/openproject/security/advisories/GHSA-jqhf-rf9x-9rhx)
+
+
+
+### CVE-2026-32703 - Repository files are served with the MIME type allowing them to be used to bypass Content Security Policy
+
+When using the Repositories module in a project, it was possible to access the raw files via the browser with a URL like `/projects/{project}/repository/revisions/{commit_id}/raw/{file}.js.raw`. For those files, the MIME type was detected via the filename extension. For JavaScript and CSS files those files were then served from the same domain name as the application with the correct MIME type for active content and could be used to bypass the Content Security Policy. Together with other areas, where unsanitized HTML was served, this allowed persistent XSS attacks.
+
+
+
+The MIME type detection for Repository files has been removed and files are served as `application/octet-stream` which will block their execution via the Content Security Policy.
+
+
+
+Two places that could be used to abuse this vulnerability have been fixed:
+
+
+
+The Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits with filenames that included HTML code that was injected in the page without proper sanitation. This allowed a persisted XSS attack against all members of this project that accessed the repositories page to display a changeset where the maliciously crafted file was deleted.
+
+
+
+When a work package name contains HTML content and the work package is attached to a meeting, the work package name is rendered in the activities feed without proper sanitation.
+
+
+
+All of those vulnerabilities were reported by user [sam91281](https://yeswehack.com/hunters/sam91281) as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
+
+
+
+For more information, please see the [GitHub advisory #GHSA-p423-72h4-fjvp](https://github.com/opf/openproject/security/advisories/GHSA-p423-72h4-fjvp)
+
+
+<!-- END CVE AUTOMATED SECTION -->
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->