31 Releases 31 Tags

RSS Feed

• v0.2.1 645331d320

  Compare

  Notify Bridge 0.2.1 Stable

  alexei.dolgolyov released this 2026-04-22 02:35:38 +03:00 | 109 commits to master since this release

  v0.2.1 (2026-04-22)

  Security-focused release on top of v0.2.0. Hardens the restore/backup flow,
  CSRF/SSRF surfaces, JWT revocation on role change, and template-context
  leakage; adds a new per-tracking-config quiet hours feature with
  app-level IANA timezone support; plus a handful of performance fixes.

  Features

  • Per-tracking-config quiet hours with app-level IANA timezone — new Timezone app setting (defaults to UTC) and a Quiet Hours section on the Immich tracking-config form. HH:MM windows (including overnight, e.g. 22:00–07:00) are interpreted in the configured timezone and suppress all notifications for that tracker. (6c3dd67)

  Security

  • Signed & verified pending-restore bundles — SHA256 stored in AppSetting and checked on startup apply; files outside data_dir are refused and permissions tightened to 0600. (56993d2)
  • Same-origin check on POST /api/backup/apply-restart — Bearer-in-localStorage was CSRF-reachable from any XSS'd admin tab; require matching Origin/Referer. (56993d2)
  • JWT token_version bumps on demotion — role/username change and admin password reset now bump token_version so already-issued tokens lose admin. Last-admin TOCTOU guarded by COUNT + post-commit recheck that rolls back on race. (56993d2)
  • SSRF guard extended to ImmichClient.__init__ and the external_domain setter — admin-mutable URLs were bypassing the check that webhook / Slack / Discord paths already used. Dev scripts/restart-backend.sh now sets NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1 so homelab Immich instances still work. (56993d2)
  • Redact & cap Immich error bodies (~120 chars) before they flow into ActionExecution.error / EventLog.details (both UI-visible). (56993d2)
  • Deny-list sensitive keys (api_key, token, secret, password, authorization, cookie, …) in template-context merges so a rogue template cannot exfiltrate provider creds via {{ api_key }}. (56993d2)
  • Cap user-controlled Immich search params — query ≤ 256, person_ids ≤ 50, size ≤ 100 — so a Telegram listener cannot DoS upstream. (56993d2)
  • Stream upload reads with a running byte counter + Content-Length precheck instead of buffering the full body and then rejecting. (56993d2)
  • Log Telegram parse_mode fallbacks instead of swallowing silently — template escape bugs now surface in server logs. (56993d2)
  • Rollback partial imports on pending-restore failure (error recorded on a fresh session). (56993d2)

  Performance

  • Fix N+1 in _refresh_telegram_chat_titles — single IN query instead of session.get per chat. (56993d2)
  • Parallelize album & shared-link fetches in test_dispatch via asyncio.gather, and per-receiver Telegram test sends in the notifier with a semaphore of 5. (56993d2)
  • Early-exit collect_scheduled_assets(limit=0) so the periodic-summary test path skips the full per-album filter/sample (was O(album_assets)). (56993d2)
  • Explicit CREATE INDEX IF NOT EXISTS for event_log (user_id / action_id / provider_id) so the first boot after upgrade isn't left unindexed for the dashboard query. (56993d2)
  • Add AbortController timeout (120s) to fetchAuth so uploads/downloads don't hang indefinitely. (56993d2)

  ---

  All Commits

  • 6c3dd67 — feat(tracking): per-config quiet hours with app-level IANA timezone (alexei.dolgolyov)
  • 56993d2 — fix(security,perf): harden restore, CSRF, token_version + perf pass (alexei.dolgolyov)

  Changelog

  645331d chore: release v0.2.1
  6c3dd67 feat(tracking): per-config quiet hours with app-level IANA timezone
  56993d2 fix(security,perf): harden restore, CSRF, token_version + perf pass

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)