Update branch#7587
Closed
Cookiezaurs wants to merge 62 commits into
Closed
Conversation
[security][core]Removed old code which returns data as callback funcion.
Bumps [geoip-lite](https://github.com/geoip-lite/node-geoip) from 2.0.1 to 2.0.2. - [Release notes](https://github.com/geoip-lite/node-geoip/releases) - [Commits](geoip-lite/node-geoip@v2.0.1...v2.0.2) --- updated-dependencies: - dependency-name: geoip-lite dependency-version: 2.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…ite-2.0.2 chore(deps): bump geoip-lite from 2.0.1 to 2.0.2
Addresses real findings from a customer Fortify scan: - frontend/express/app.js: theme image handler built sendFile path from cookie + URL with only a prefix check, allowing `..` traversal outside /public/themes. Now resolved through common.resolvePathInBase. - plugins/two-factor-auth setup2fa.html / enter2fa_login.html: hidden username/password inputs used unescaped EJS (`<%-`), enabling reflected XSS via crafted credentials. Switched to escaped `<%=`. - api/utils/common.js: returnMessage / returnOutput logged the entire params object on the "output already closed" branch, which can include req.body/req.headers (passwords, session cookies). Replaced with a small non-sensitive summary. - plugins/sdk/api/api.js: SDK config endpoints echoed raw `'Error: ' + err` to clients, leaking internal details. Now log details server-side and return a generic message. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- frontend/express/app.js: replace explicit resolvePathInBase + fs.exists + sendFile with res.sendFile's `root` option. Express normalizes the path and rejects `..` traversal natively (recognized by CodeQL as a sanitizer, addresses alerts 1329 and 1330). Switched req.url to req.path so query strings don't bleed into filesystem lookups. - api/utils/common.js: log params.urlParts.pathname instead of req.url in the "output already closed" branch — req.url can carry api_key / auth_token in the query string. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
[security] Fix Fortify-flagged path traversal, XSS and info-leak issues
Bumps the actions group with 1 update: [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action). Updates `slackapi/slack-github-action` from 3.0.2 to 3.0.3 - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md) - [Commits](slackapi/slack-github-action@v3.0.2...v3.0.3) --- updated-dependencies: - dependency-name: slackapi/slack-github-action dependency-version: 3.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ns-14a0636c8a chore(deps): bump slackapi/slack-github-action from 3.0.2 to 3.0.3 in the actions group
Bumps [lint-staged](https://github.com/lint-staged/lint-staged) from 17.0.2 to 17.0.4. - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](lint-staged/lint-staged@v17.0.2...v17.0.4) --- updated-dependencies: - dependency-name: lint-staged dependency-version: 17.0.4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…aged-17.0.4 chore(deps-dev): bump lint-staged from 17.0.2 to 17.0.4
Bumps [semver](https://github.com/npm/node-semver) from 7.7.4 to 7.8.0. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.7.4...v7.8.0) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…7.8.0 chore(deps): bump semver from 7.7.4 to 7.8.0
Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.5 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-builder@v1.1.5...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…/push/fast-xml-builder-1.2.0 chore(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 in /plugins/push
Update CHANGELOG for version 25.03.X fixes
Bumps [countly-sdk-nodejs](https://github.com/Countly/countly-sdk-nodejs) from 24.10.3 to 24.10.4. - [Release notes](https://github.com/Countly/countly-sdk-nodejs/releases) - [Changelog](https://github.com/Countly/countly-sdk-nodejs/blob/master/CHANGELOG.md) - [Commits](Countly/countly-sdk-nodejs@24.10.3...24.10.4) --- updated-dependencies: - dependency-name: countly-sdk-nodejs dependency-version: 24.10.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…-sdk-nodejs-24.10.4 chore(deps): bump countly-sdk-nodejs from 24.10.3 to 24.10.4
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 24.43.0 to 24.43.1. - [Release notes](https://github.com/puppeteer/puppeteer/releases) - [Changelog](https://github.com/puppeteer/puppeteer/blob/main/CHANGELOG.md) - [Commits](puppeteer/puppeteer@puppeteer-v24.43.0...puppeteer-v24.43.1) --- updated-dependencies: - dependency-name: puppeteer dependency-version: 24.43.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…er-24.43.1 chore(deps): bump puppeteer from 24.43.0 to 24.43.1
Bumps [@protobufjs/utf8](https://github.com/dcodeIO/protobuf.js) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/dcodeIO/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-cli-v1.1.0...protobufjs-cli-v1.1.1) --- updated-dependencies: - dependency-name: "@protobufjs/utf8" dependency-version: 1.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…/push/protobufjs/utf8-1.1.1 chore(deps): bump @protobufjs/utf8 from 1.1.0 to 1.1.1 in /plugins/push
Bumps [cypress](https://github.com/cypress-io/cypress) from 15.14.2 to 15.15.0. - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](cypress-io/cypress@v15.14.2...v15.15.0) --- updated-dependencies: - dependency-name: cypress dependency-version: 15.15.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…s/cypress-15.15.0 chore(deps-dev): bump cypress from 15.14.2 to 15.15.0 in /ui-tests
Added security fixes and enterprise fixes to the changelog for version 25.03.X.
Addresses Copilot review comments on #7559: - Drop the half-written "[dbvieweer] ($graphLookup) and M-11 ..." line (the $graphLookup half is already on the line below). - Add a proper, descriptive entry for the M-11 fix (eaaa23a): wrap the non-admin scope as a top-level $and so a user-supplied $or/$nor can't OR around the per-tenant filter. - Fix puppetteer → puppeteer. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update CHANGELOG.md for version 25.03.X fixes
…encoding docs(changelog): add user profile dot encoding fix
Bumps [systeminformation](https://github.com/sebhildebrandt/systeminformation) from 5.31.1 to 5.31.6. - [Release notes](https://github.com/sebhildebrandt/systeminformation/releases) - [Changelog](https://github.com/sebhildebrandt/systeminformation/blob/master/CHANGELOG.md) - [Commits](sebhildebrandt/systeminformation@v5.31.1...v5.31.6) --- updated-dependencies: - dependency-name: systeminformation dependency-version: 5.31.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…s/systeminformation-5.31.6 chore(deps): bump systeminformation from 5.31.1 to 5.31.6 in /ui-tests
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.5 to 7.5.8. - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.5.8/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v7.5.5...protobufjs-v7.5.8) --- updated-dependencies: - dependency-name: protobufjs dependency-version: 7.5.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…/push/protobufjs-7.5.8 chore(deps): bump protobufjs from 7.5.5 to 7.5.8 in /plugins/push
Journey cooldown UI changes
Update CHANGELOG.md
Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 8.5.1 to 8.5.2. - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.5.1...v8.5.2) --- updated-dependencies: - dependency-name: express-rate-limit dependency-version: 8.5.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…-rate-limit-8.5.2 chore(deps): bump express-rate-limit from 8.5.1 to 8.5.2
Bumps [lint-staged](https://github.com/lint-staged/lint-staged) from 17.0.4 to 17.0.5. - [Release notes](https://github.com/lint-staged/lint-staged/releases) - [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md) - [Commits](lint-staged/lint-staged@v17.0.4...v17.0.5) --- updated-dependencies: - dependency-name: lint-staged dependency-version: 17.0.5 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…aged-17.0.5 chore(deps-dev): bump lint-staged from 17.0.4 to 17.0.5
Updated version number to 25.03.44 and added security fixes, enterprise features, and bug fixes.
Update CHANGELOG for version 25.03.44
saveNote schema declared color as String but the dashboard (countly.common.notes.js COLOR_TAGS) sends a numeric index 1..5. Validation stayed dormant until H-5 started enforcing validateArgs, after which every create/edit failed with 'Invalid type for color'. Switched color to IntegerString so both Number (JSON body) and numeric string (URL query) are accepted. Slack context: https://countly.slack.com/archives/CV9KV4UQ1/p1779195915103949 Ports: Countly/countly-platform#280 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(notes): accept numeric color in saveNote schema
Change 'ts' type from empty to 'IntegerString'
Bumps [get-random-values](https://github.com/kenany/get-random-values) from 4.1.2 to 5.0.0. - [Release notes](https://github.com/kenany/get-random-values/releases) - [Commits](kenany/get-random-values@4.1.2...5.0.0) --- updated-dependencies: - dependency-name: get-random-values dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…dom-values-5.0.0 chore(deps): bump get-random-values from 4.1.2 to 5.0.0
…03.X Pairs with the actual fix in countly-enterprise-plugins PR #3179 (mirror of countly-platform #295). Read-path coercion in plugins/groups/api/services/dbService.js so pre-2021 members docs with group_id stored as a string no longer trip MongoDB Location40081 on the new $in-based $lookup pipeline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
docs(changelog): note groups findGroups legacy group_id fix under 25.03.X
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.