Merge pull request #41522 from appsmithorg/release

20/01/2026 - Daily Promotion

Author: btsgh

.github/workflows/docker-base-image.yml

@@ -14,6 +14,9 @@ on:
 jobs:
   build-docker:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
 
     defaults:
       run:
@@ -29,12 +32,6 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
       - name: Get tag
         id: tag
         run: |
@@ -60,5 +57,3 @@ jobs:
           platforms: linux/arm64,linux/amd64
           tags: |
             ${{ vars.DOCKER_HUB_ORGANIZATION }}/base-${{ vars.EDITION }}:${{ steps.tag.outputs.tag }}
-        env:
-          DEPOT_TOKEN: ${{ secrets.DEPOT_TOKEN }}

app/client/cypress/locators/commonlocators.json

@@ -246,5 +246,8 @@
   "tostifyIcon": ".Toastify--animate-icon > span",
   "downloadFileType": "button[class*='t--open-dropdown-Select-file-type'] > span:first-of-type",
   "listToggle": "[data-testid='t--list-toggle']",
-  "showBindingsMenu": "//*[@id='entity-properties-container']"
+  "showBindingsMenu": "//*[@id='entity-properties-container']",
+  "confirmationModal": "[data-testid='t--confirmation-modal']",
+  "confirmationModalConfirm": "[data-testid='t--confirmation-modal-confirm']",
+  "confirmationModalCancel": "[data-testid='t--confirmation-modal-cancel']"
 }

app/client/cypress/support/Pages/DataSources.ts

@@ -14,6 +14,7 @@ import { anvilLocators } from "./Anvil/Locators";
 import { PluginActionForm } from "./PluginActionForm";
 import ApiEditor from "../../locators/ApiEditor";
 import BottomTabs from "./IDE/BottomTabs";
+import commonlocators from "../../locators/commonlocators.json";
 
 export const DataSourceKVP = {
   Postgres: "PostgreSQL",
@@ -912,7 +913,7 @@ export class DataSources {
 
   public DeleteDatasourceFromWithinDS(
     datasourceName: string,
-    expectedRes: number | number[] = 200 || 409 || [200, 409],
+    expectedRes: number | number[] = [200, 409],
   ) {
     EditorNavigation.SelectEntityByName(datasourceName, EntityType.Datasource);
     this.agHelper.Sleep(); //for the Datasource page to open
@@ -935,7 +936,7 @@ export class DataSources {
   }
 
   public DeleteDSDirectly(
-    expectedRes: number | number[] = 200 || 409 || [200, 409],
+    expectedRes: number | number[] = [200, 409],
     toNavigateToDSInfoPage = true,
   ) {
     toNavigateToDSInfoPage &&
@@ -1187,8 +1188,32 @@ export class DataSources {
 
   ToggleUsePreparedStatement(enable = true || false) {
     this.pluginActionForm.toolbar.toggleSettings();
-    if (enable) this.agHelper.CheckUncheck(this._usePreparedStatement, true);
-    else this.agHelper.CheckUncheck(this._usePreparedStatement, false);
+    if (enable) {
+      this.agHelper.CheckUncheck(this._usePreparedStatement, true);
+    } else {
+      // When disabling, click the switch which will trigger the modal
+      this.agHelper
+        .GetElement(this._usePreparedStatement)
+        .click({ force: true });
+
+      // Wait for and handle the confirmation modal
+      this.agHelper.AssertElementVisibility(
+        commonlocators.confirmationModal,
+        true,
+        0,
+        5000,
+      );
+      this.agHelper.GetNClick(commonlocators.confirmationModalConfirm);
+      this.agHelper.AssertElementAbsence(
+        commonlocators.confirmationModal,
+        5000,
+      );
+
+      // Now verify the switch is actually unchecked
+      this.agHelper
+        .GetElement(this._usePreparedStatement)
+        .should("not.be.checked");
+    }
   }
 
   public EnterQuery(query: string, sleep = 500, toVerifySave = true) {

app/client/src/ce/constants/DeploymentConstants.ts

@@ -13,3 +13,8 @@ export const REDEPLOY_WARNING_MESSAGE: Record<
 > = {
   [REDEPLOY_TRIGGERS.PendingDeployment]: REDEPLOY_APP_WARNING,
 };
+
+export const REDEPLOY_DOC_URL: Record<RedeployTriggerValue, string> = {
+  [REDEPLOY_TRIGGERS.PendingDeployment]:
+    "https://docs.appsmith.com/help-and-support/troubleshooting-guide/git-errors#edit-and-view-mode-out-of-sync",
+};

app/client/src/ce/constants/messages.ts

@@ -1630,6 +1630,36 @@ export const WELCOME_FORM_PASSWORDS_NOT_MATCHING_ERROR_MESSAGE = () =>
 
 export const QUERY_CONFIRMATION_MODAL_MESSAGE = () =>
   `Are you sure you want to run `;
+
+// Security feature disable confirmation modal
+export const DISABLE_PREPARED_STATEMENT_CONFIRMATION_HEADING = () =>
+  "Security Warning: Disable Prepared Statements?";
+export const DISABLE_PREPARED_STATEMENT_CONFIRMATION_DESCRIPTION = () =>
+  "Disabling prepared statements exposes your application to SQL injection attacks. This setting will be saved and apply to production queries. Only disable if you absolutely need dynamic SQL patterns that cannot be parameterized.";
+
+export const DISABLE_PREPARED_STATEMENT_CONFIRMATION_LEARN_MORE = {
+  TEXT: () => "Learn more",
+  URL: "https://docs.appsmith.com/connect-data/concepts/how-to-use-prepared-statements",
+};
+
+export const DISABLE_SMART_SUBSTITUTION_CONFIRMATION_HEADING = () =>
+  "Security Warning: Disable Smart Substitution?";
+export const DISABLE_SMART_SUBSTITUTION_CONFIRMATION_DESCRIPTION = () =>
+  "Disabling smart substitution removes Appsmith's automatic escaping and validation. This increases the risk of malformed queries and injection vulnerabilities. Only disable if you fully understand the security implications.";
+export const DISABLE_SMART_SUBSTITUTION_CONFIRMATION_LEARN_MORE = {
+  TEXT: () => "Learn more",
+  URL: "https://docs.appsmith.com/connect-data/reference/query-settings#smart-json-substitution",
+};
+
+export const DISABLE_BSON_SUBSTITUTION_CONFIRMATION_HEADING = () =>
+  "Security Warning: Disable Smart BSON Substitution?";
+export const DISABLE_BSON_SUBSTITUTION_CONFIRMATION_DESCRIPTION = () =>
+  "Disabling smart BSON substitution removes Appsmith's automatic escaping and validation before sending commands to MongoDB. This increases the risk of malformed queries and injection vulnerabilities. Only disable if you fully understand the security implications.";
+export const DISABLE_BSON_SUBSTITUTION_CONFIRMATION_LEARN_MORE = {
+  TEXT: () => "Learn more",
+  URL: "https://docs.appsmith.com/connect-data/reference/query-settings#smart-bson-substitution",
+};
+
 export const ENTITY_EXPLORER_TITLE = () => "NAVIGATION";
 export const MULTI_SELECT_PROPERTY_PANE_MESSAGE = () =>
   `Select a widget to see it's properties`;

app/client/src/components/formControls/SwitchWithConfirmationControl.tsx

@@ -0,0 +1,206 @@
+import React from "react";
+import type { ControlProps } from "./BaseControl";
+import BaseControl from "./BaseControl";
+import {
+  Switch,
+  Link,
+  Modal,
+  ModalContent,
+  ModalHeader,
+  ModalBody,
+  ModalFooter,
+  Button,
+  Text,
+} from "@appsmith/ads";
+import type { ControlType } from "constants/PropertyControlConstants";
+import type { WrappedFieldProps } from "redux-form";
+import { Field } from "redux-form";
+import styled from "styled-components";
+import {
+  SECURITY_MODAL_CONTENT,
+  type SecurityModalType,
+} from "constants/SecurityModalConstants";
+import { createMessage } from "ee/constants/messages";
+
+type SwitchFieldProps = WrappedFieldProps & {
+  label: string;
+  isRequired: boolean;
+  info: string;
+  disabled?: boolean;
+  modalType?: SecurityModalType;
+};
+
+const SwitchWrapped = styled.div`
+  flex-direction: row;
+  display: flex;
+  align-items: center;
+  justify-content: end;
+  position: relative;
+  max-width: 60vw;
+`;
+
+const StyledModalContent = styled(ModalContent)`
+  &&& {
+    width: 600px;
+  }
+`;
+
+export class SwitchWithConfirmationField extends React.Component<
+  SwitchFieldProps,
+  { isModalOpen: boolean; pendingValue: boolean | null }
+> {
+  constructor(props: SwitchFieldProps) {
+    super(props);
+    this.state = {
+      isModalOpen: false,
+      pendingValue: null,
+    };
+  }
+
+  /**
+   * `redux-form`'s `input.value` can sometimes be a string (e.g. "false").
+   * Normalize it to a boolean so the switch + confirmation logic behaves
+   * consistently regardless of the serialized value type.
+   */
+  private getBooleanValue(value: unknown): boolean {
+    if (typeof value !== "string") return !!value;
+
+    if (value.toLocaleLowerCase() === "false") return false;
+
+    return !!value;
+  }
+
+  handleSwitchChange = (isSelected: boolean) => {
+    const currentValue = this.getBooleanValue(this.props.input.value);
+
+    // Only show modal when toggling from ON (true) to OFF (false)
+    if (currentValue === true && isSelected === false) {
+      this.setState({
+        isModalOpen: true,
+        pendingValue: isSelected,
+      });
+    } else {
+      // Allow toggling from OFF to ON without confirmation
+      this.props.input.onChange(isSelected);
+    }
+  };
+
+  handleConfirm = () => {
+    const { pendingValue } = this.state;
+
+    if (pendingValue !== null) {
+      this.props.input.onChange(pendingValue);
+    }
+
+    this.setState({
+      isModalOpen: false,
+      pendingValue: null,
+    });
+  };
+
+  handleCancel = () => {
+    this.setState({
+      isModalOpen: false,
+      pendingValue: null,
+    });
+  };
+
+  handleModalOpenChange = (isOpen: boolean) => {
+    if (!isOpen) {
+      this.handleCancel();
+    }
+  };
+
+  render() {
+    const { disabled, modalType } = this.props;
+    const { isModalOpen } = this.state;
+    const isSelected = this.getBooleanValue(this.props.input.value);
+
+    // Get modal content based on modalType
+    const modalContent = modalType ? SECURITY_MODAL_CONTENT[modalType] : null;
+
+    return (
+      <>
+        <SwitchWrapped data-testid={this.props.input.name}>
+          <Switch
+            className="switch-control"
+            isDisabled={disabled}
+            isSelected={isSelected}
+            name={this.props.input.name}
+            onChange={this.handleSwitchChange}
+          />
+        </SwitchWrapped>
+
+        {modalContent && (
+          <Modal onOpenChange={this.handleModalOpenChange} open={isModalOpen}>
+            <StyledModalContent data-testid="t--confirmation-modal">
+              <ModalHeader>{createMessage(modalContent.heading)}</ModalHeader>
+              <ModalBody>
+                <Text kind="body-m">
+                  {createMessage(modalContent.description)}
+                  {modalContent.learnMore ? (
+                    <>
+                      {" "}
+                      <Link target="_blank" to={modalContent.learnMore.url}>
+                        {createMessage(modalContent.learnMore.text)}
+                      </Link>
+                      .
+                    </>
+                  ) : null}
+                </Text>
+              </ModalBody>
+              <ModalFooter>
+                <Button
+                  data-testid="t--confirmation-modal-cancel"
+                  kind="secondary"
+                  onClick={this.handleCancel}
+                  size="md"
+                >
+                  Cancel
+                </Button>
+                <Button
+                  data-testid="t--confirmation-modal-confirm"
+                  kind="error"
+                  onClick={this.handleConfirm}
+                  size="md"
+                >
+                  Disable
+                </Button>
+              </ModalFooter>
+            </StyledModalContent>
+          </Modal>
+        )}
+      </>
+    );
+  }
+}
+
+class SwitchWithConfirmationControl extends BaseControl<SwitchWithConfirmationControlProps> {
+  render() {
+    const { configProperty, disabled, info, isRequired, label, modalType } =
+      this.props;
+
+    return (
+      <Field
+        component={SwitchWithConfirmationField}
+        disabled={disabled}
+        info={info}
+        isRequired={isRequired}
+        label={label}
+        modalType={modalType}
+        name={configProperty}
+      />
+    );
+  }
+
+  getControlType(): ControlType {
+    return "SWITCH_WITH_CONFIRMATION";
+  }
+}
+
+export interface SwitchWithConfirmationControlProps extends ControlProps {
+  info?: string;
+  modalType?: SecurityModalType;
+}
+
+export default SwitchWithConfirmationControl;

app/client/src/constants/AppsmithActionConstants/formConfig/ApiSettingsConfig.ts

@@ -41,10 +41,11 @@ export default [
       {
         label: "Smart JSON substitution",
         configProperty: "actionConfiguration.pluginSpecifiedTemplates[0].value",
-        controlType: "SWITCH",
+        controlType: "SWITCH_WITH_CONFIRMATION",
         tooltipText:
           "Turning on this property fixes the JSON substitution of bindings in API body by adding/removing quotes intelligently and reduces developer errors",
         initialValue: true,
+        modalType: "SMART_SUBSTITUTION",
       },
       {
         label: "Protocol",