Patch release covering the security findings from the repo's first
CodeQL scan against 1.3.0:
- Sanitise params[:path] before it flows into form action / link href
in submissions_filters/_filter_modal (reflected XSS).
- Slice required_params to email/phone before passing to find_by! /
find_or_initialize_by in start_form_controller (column-name
injection via template-owner-controlled link_form_fields preference).
- Rewrite FULL_EMAIL_REGEXP local-part to remove the nested quantifier
(ReDoS).
- Replace the Bearer-token regex in mcp_controller with a string
prefix check (polynomial ReDoS).
- Swap Math.random()-based attachment UUIDs for crypto.randomUUID()
in the submission-form Vue dropzone / signature / initials steps.
- Add a workflow-level permissions: read-all block to ci.yml.
See CHANGELOG.md [1.3.1] for the full per-alert breakdown and the
list of CodeQL findings that are false positives in context.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Features list now mentions Twilio, VoIP.ms, and SignalWire alongside
BulkVS. Docker pull example and Releases section point at 1.3.0.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sweep of stale upstream cruft and missing release-process plumbing:
- SECURITY.md routes vuln reports to wabosign@wabo.cc
- package.json renamed wabosign + license/repository fields
- Drop the docuseal.com fallback href in signature_step.vue
- Delete docs/api/ (10 upstream language stubs) and rewrite stale
docuseal.com URLs in docs/openapi.json + docs/embedding/* +
docs/webhooks/* to sign.wabo.cc
- Remove console_redirect + enquiries controllers and routes
(/upgrade, /manage, /console_redirect were DocuSeal-SaaS-only).
Strip the navbar Console icon, the embed_scripts upgrade-to-Pro
fallback, the sessions_controller CONSOLE_URL redirect, and the
CONSOLE_URL/CDN_URL/CLOUD_URL/ENQUIRIES_URL constants. The four
"Learn more" links in templates/_embedding.html.erb now point at
sign.wabo.cc/docs/embedding; the two CDN script-src refs use the
local embed_script_url helper.
- Dockerfile gains OCI image labels via ARG VERSION/REVISION
- docker.yml passes labels + build-args from metadata-action@v5 so
the published image has the right manifest-level metadata
- Add CHANGELOG.md (Keep-a-Changelog) and a Releases section in README
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Operator-facing reference for the BulkVS integration:
configuration, send pipeline, code map, BulkVS API details,
how to add another provider, and explicit out-of-scope items.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The image now lives at GHCR (pushed manually as :latest and
:sha-45ed368a). Aligning the rest of the repo to match:
- docker-compose.yml: image: ghcr.io/wabolabs/wabosign:latest
- README.md docker-run example: same
- .github/workflows/docker.yml: meta.images and login-action repointed
at ghcr.io. Login now uses the auto-provisioned GITHUB_TOKEN with a
job-level `permissions: packages: write`; the DOCKERHUB_USERNAME /
DOCKERHUB_TOKEN secrets are no longer needed and can be removed from
the repo settings. Also adds a `type=raw,value=latest` tag so the
semver-triggered build keeps :latest pointing at the newest release.
- REBRANDING.md: registry note updated for accuracy.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds "Sign in with Google" as an additive auth path next to email and
password. When GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET are set, the
Google button appears on the sign-in page and the SSO settings page
shows an env-driven status panel. Access is restricted to Workspace
domains listed in GOOGLE_ALLOWED_DOMAINS (CSV); the hd claim is
re-verified server-side on every callback so a misconfigured Google
consent screen cannot bypass it.
New users from an allowed domain are JIT-provisioned in the default
account (oldest, or pinned via GOOGLE_DEFAULT_ACCOUNT_ID). Existing
users with a matching email get linked to their Google identity on
first sign-in; identity collisions (same email, different Google uid)
are rejected.
Google's MFA is trusted: users signed in via Google do not see the
WaboSign OTP prompt or the FORCE_MFA setup redirect. Password sign-in
keeps working unchanged, including its existing OTP gate.
Implementation:
- Devise gains :omniauthable when SSO is enabled; users get
provider/uid columns with a partial unique index that allows NULL
for password-only rows.
- Users::OmniauthCallbacksController handles /users/auth/google_oauth2/
callback, sets session[:bypass_otp_for_sso], and redirects on failure.
- SessionsController#destroy clears the bypass flag on sign-out.
- DashboardController#maybe_redirect_mfa_setup honours the flag and
User#signed_in_via_sso?.
- The previously empty _omniauthable.html.erb stub now renders the
Google button.
Request specs cover happy path, link-existing-user, domain rejection,
identity collision, and 2FA bypass.
GOOGLE_SSO.md is the operator-facing setup, behaviour, verification,
and troubleshooting guide. README links to it.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Renames the product to WaboSign across UI, mailers, locales, assets, and
internal Ruby module. Keeps the upstream DocuSeal attribution required by
AGPLv3 §7(b) in the powered-by footer, email attribution, README, and a
new NOTICE file. Migration renames the AATL cert identifier in encrypted
configs from docuseal_aatl to wabosign_aatl.
Removes multitenant-gated Pro upsell UI (Plans/Console/Upgrade links,
SMS/SSO/bulk-send/logo placeholders, reminder-duration restriction, the
"DocuSeal Pro" email-attribution toggle, conditions/formula/payment
pricing links) so every shipped feature is reachable on a self-hosted
deployment. Multitenant routing logic is preserved.
Drops Discord, Twitter, and ChatGPT/AI-assistant chrome. Embedding
modal keeps the upstream <docuseal-form> / @docuseal/* SDK contract so
existing embedded forms continue to work; documented in NOTICE.
REBRANDING.md captures the change inventory for future maintainers.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Hello, I'm Joseph Benguira, Founder of Elest.io
I'm suggesting to add Elestio as a deployment option near the other one-click options in your list.
FYI I'm also trying to contact you through Linkedin to check if you are interested in a revenue sharing partnership (we will share with you part of profits generated on Elestio)
Wabo
aqilaziz
Pete Matsyburka
Pete Matsyburka
Pete Matsyburka
Alex Turchyn
Joseph Benguira
Justin Ellingwood