diff --git a/.github/workflows/release_notice.yml b/.github/workflows/release_notice.yml index 8a7a8431ee0..abe4dfd2eba 100644 --- a/.github/workflows/release_notice.yml +++ b/.github/workflows/release_notice.yml @@ -14,7 +14,7 @@ jobs: run: echo "$GITHUB_CONTEXT" - name: Send custom JSON data to Slack workflow id: slack - uses: slackapi/slack-github-action@v3.0.2 + uses: slackapi/slack-github-action@v3.0.3 with: # This data can be any valid JSON from a previous step in the GitHub Action webhook: ${{ secrets.SLACK_RELEASE }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 49f40e4f229..ffa81cec811 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,65 @@ + ## Version 25.03.X +Fixes: +- [core] Accept numeric color in saveNote schema so graph note create/edit no longer fails validation +- [groups] Tolerate legacy string `group_id` on members in findGroups aggregation so the groups listing, User Management, Alerts and Preset Management pages no longer 400 with MongoDB Location40081 on tenants with pre-2021 data + +## Version 25.03.44 +Security fixes: +- [alerts] Validate alertConfig.selectedApps against caller's permissions (cross-app metric exfiltration) +- [app_users / logger / compliance-hub] Strip dangerous Mongo operators ($where, $expr, $function, $accumulator) from user-supplied queries +- [app_users] Sanitize user.picture filename before deletion (path traversal) +- [app_users] Scope export download/delete to caller's app_id; reject path-traversal in filenames +- [apps] Replace updateApp/createApp mass-assignment with explicit field allowlist +- [auth] Generate new-member invite prid with crypto.randomBytes (replace predictable HMAC) +- [auth] Handle req.session.regenerate error in token login +- [auth] Replace OTP-equality recaptcha bypass with twoFactorPassed session flag +- [auth] Restrict /login/token/:token to login-purpose tokens; regenerate session id on token login to close fixation +- [cms / system / systemlogs] /i/cms/save_entries, /o/system/plugins, /i/systemlogs restricted to global admins +- [core] Add common.resolvePathInBase helper for safe path containment checks +- [crashes] Add error handlers to crash report streamed responses +- [dashboards] Constrain public screenshot route paths and stream error handling +- [dashboards] Identical response for missing/inaccessible dashboard (no enumeration) +- [dashboards] Require auth + per-widget app permission on /o/dashboards/test; remove the unused endpoint +- [data_migration] Constrain export/import paths to allowed directories; reject path-traversal in target_path, multipart filenames, and exportid (backport of #7491) +- [data] Escape regex metacharacters in sSearch parameters (ReDoS) +- [data] Return 404 (not 500) when event_groups lookup misses +- [dbviewer] Block $graphLookup aggregation stage (cross-collection data exfiltration) +- [dbviewer] Wrap non-admin scope as top-level $and so user-supplied $or/$nor cannot bypass per-tenant filter (cross-tenant data exfiltration) +- [errorlogs] Reject path-traversal in admin log file paths +- [event_groups] Whitelist updatable fields on create/update; scope reads by app_id +- [exports] Add stream error handlers to export download +- [exports] Authorize /o/export/download by task ownership / app_id +- [notes] Bind notes to permission-checked app_id; check edit permissions against the note's stored app_id +- [notes] Enforce saveNote schema validation +- [output] Remove noescape query-string bypass on returnOutput (reflected-XSS via parameter) +- [push] Bind message create/test/update/one/remove/toggle to query-string app_id (cross-app push injection) +- [redirect] Apply SSRF protection (api/utils/ssrf-protection.js) to app.redirect_url outbound requests +- [render] (--disable-web-security) removed from puppeteer +- [reports] Add stream error handlers +- [star-rating] Close stored XSS in feedback widget logo upload/preview; restrict uploads to image MIME types and validate magic bytes (backport of #7532) +- [star-rating] Defense-in-depth on image upload/serve routes +- [system-utility] Harden streamed responses with error handlers +- [tasks] Authorize /i/tasks/{update,delete,name,edit} per task ownership / app admin / global admin +- [users] /users/check/username now requires global admin (parity with email check) + +Enterprise Features: +- [journey_engine] Maker checker approver +- [journey_engine] Engagement cooldown information added to journey builder and user profiles + Enterprise Fixes: +- [active_users] Fixed logic to prevent triggering active users calculation if it +- [cognito] Fix crash on GET /clogin/:code when body-parser 2.x leaves req.body undefined on requests with no bodyis already running. - [drill] Add query hint based on default indexes - [drill] Add contextual links in drill table for user IDs and crash groups - [drill] Resolve device IDs to user profiles via server-side redirect endpoint - [drill] Open crash group and user profile links in new tab - [drill] Show user-friendly error message when saving a query fails - +- [users] Fix MongoDB dot encoding (.) leaking into user profile UI filters, breakdown dropdown, and URLs ## Version 25.03.43 Enterprise Fixes: - [flow] Optimize timeline period query -- [journey_engine] Maker checker approver Dependencies: - Bump follow-redirects from 1.15.11 to 1.16.0 diff --git a/api/parts/mgmt/users.js b/api/parts/mgmt/users.js index 75348a28703..9560efa9d0b 100644 --- a/api/parts/mgmt/users.js +++ b/api/parts/mgmt/users.js @@ -904,15 +904,18 @@ usersApi.saveNote = async function(params) { }, 'ts': { 'required': true, - 'type': '' + 'type': 'IntegerString' }, 'noteType': { 'required': true, 'type': 'String', }, 'color': { + // Frontend (countly.common.notes.js COLOR_TAGS) sends a numeric + // index 1..5. URL query callers may send "5" as a string. + // Mirror the ts handling — IntegerString accepts both. 'required': true, - 'type': 'String' + 'type': 'IntegerString' }, 'category': { 'required': false, @@ -1187,4 +1190,4 @@ usersApi.ackNotification = function(params) { }); }; -module.exports = usersApi; \ No newline at end of file +module.exports = usersApi; diff --git a/api/utils/common.js b/api/utils/common.js index 4402b843310..be62bfcd055 100644 --- a/api/utils/common.js +++ b/api/utils/common.js @@ -1403,7 +1403,10 @@ common.returnMessage = function(params, returnCode, message, heads, noResult = f else { console.error("Output already closed, can't write more"); console.trace(); - console.log(params); + // Don't dump the full params object — req.body/req.headers can + // contain credentials, session cookies, or other secrets. Log + // only the pathname (query string can carry api_key/auth_token). + console.log({pathname: params.urlParts && params.urlParts.pathname, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); } } }; @@ -1485,7 +1488,10 @@ common.returnOutput = function(params, output, noescape, heads) { else { console.error("Output already closed, can't write more"); console.trace(); - console.log(params); + // Don't dump the full params object — req.body/req.headers can + // contain credentials, session cookies, or other secrets. Log + // only the pathname (query string can carry api_key/auth_token). + console.log({pathname: params.urlParts && params.urlParts.pathname, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)}); } } }; diff --git a/frontend/express/app.js b/frontend/express/app.js index ab7a1c5b0a6..47799765af3 100644 --- a/frontend/express/app.js +++ b/frontend/express/app.js @@ -479,14 +479,16 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_ app.use(cookieParser()); //server theme images app.use(function(req, res, next) { - var urlPath = req.url.replace(countlyConfig.path, ""); + var urlPath = req.path.replace(countlyConfig.path, ""); var theme = req.cookies.theme || curTheme; - if (theme && theme.length && (req.url.indexOf(countlyConfig.path + '/images/') === 0 || req.url.indexOf(countlyConfig.path + '/geodata/') === 0)) { - fs.exists(__dirname + '/public/themes/' + theme + urlPath, function(exists) { - if (exists) { - res.sendFile(__dirname + '/public/themes/' + theme + urlPath); - } - else { + if (theme && theme.length && (req.path.indexOf(countlyConfig.path + '/images/') === 0 || req.path.indexOf(countlyConfig.path + '/geodata/') === 0)) { + // Both `theme` (cookie) and `urlPath` (URL) are user-controlled. + // Hand the relative path to res.sendFile with `root` set to + // /public/themes — express normalizes the path and rejects any + // `..` traversal before touching the filesystem. Missing files + // surface via the error callback and fall through to next(). + res.sendFile(theme + urlPath, {root: path.resolve(__dirname, 'public/themes')}, function(err) { + if (err) { next(); } }); diff --git a/frontend/express/public/javascripts/countly/vue/components/content.js b/frontend/express/public/javascripts/countly/vue/components/content.js index 6a35382158a..e4e84018130 100644 --- a/frontend/express/public/javascripts/countly/vue/components/content.js +++ b/frontend/express/public/javascripts/countly/vue/components/content.js @@ -71,6 +71,11 @@ type: String }, + cooldownBadge: { + default: () => ({ show: false }), + type: Object + }, + status: { default: () => ({ label: 'Status', diff --git a/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html b/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html index e5f12fa4359..41f9f909e73 100644 --- a/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html +++ b/frontend/express/public/javascripts/countly/vue/templates/content/content-header.html @@ -55,6 +55,18 @@ :tabs="tabs" />
+
+ +
=0.10.0" } }, - "node_modules/geoip-lite/node_modules/ip-address": { - "version": "5.9.4", - "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-5.9.4.tgz", - "integrity": "sha512-dHkI3/YNJq4b/qQaz+c8LuarD3pY24JqZWfjB8aZx1gtpc2MDILu9L9jpZe1sHpzo/yWFweQVn+U//FhazUxmw==", - "license": "MIT", - "dependencies": { - "jsbn": "1.1.0", - "lodash": "^4.17.15", - "sprintf-js": "1.1.2" - }, - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/geoip-lite/node_modules/sprintf-js": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.1.2.tgz", - "integrity": "sha512-VE0SOVEHCk7Qc8ulkWw3ntAzXuqf7S2lvwQaDLRnUeIEaKNQJzV6BwmLKhOqT61aGhfUMrXeaBk+oDGCzvhcug==", - "license": "BSD-3-Clause" - }, "node_modules/get-caller-file": { "version": "2.0.5", "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", @@ -6151,15 +6131,15 @@ } }, "node_modules/get-random-values": { - "version": "4.1.2", - "resolved": "https://registry.npmjs.org/get-random-values/-/get-random-values-4.1.2.tgz", - "integrity": "sha512-wSryUwTGxprpTZqyA2BLt3s/nnk49aeUiaVcoGeZckvu1NpC8nueUO6D74VfXy/BEpRNL7DAD/dgPVot5chruw==", + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/get-random-values/-/get-random-values-5.0.0.tgz", + "integrity": "sha512-K4SoyabzMZ+stdDY4atTAml/UztnBFBu1Hk3vC4paSKHl/Cecxfe07SQhevII4/mnwGBa/q9pfaZo2lS9G4Pvg==", "license": "MIT", "dependencies": { "window-or-global": "^1.0.1" }, "engines": { - "node": "20 || 22 || >=24" + "node": "22 || >=24" } }, "node_modules/get-stream": { @@ -7937,12 +7917,6 @@ "js-yaml": "bin/js-yaml.js" } }, - "node_modules/jsbn": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz", - "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==", - "license": "MIT" - }, "node_modules/jsesc": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz", @@ -8203,9 +8177,9 @@ "license": "MIT" }, "node_modules/lint-staged": { - "version": "17.0.2", - "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-17.0.2.tgz", - "integrity": "sha512-Rbr6rdmbCn1fIDHBZpn0madg0hEkdlh+QwajnL3Qq0ZUq/icAJfLGj9BVBajAXi7657ZzKQ7kobGP9S5XOHYRw==", + "version": "17.0.5", + "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-17.0.5.tgz", + "integrity": "sha512-d12yC+/e8RhBjZtaxZn71FyrgU/P5e+uAPifhCLwdosQZP/zamSdKRWDC30ocVIbzDKiFG1McHc/LUgB92GIPw==", "dev": true, "license": "MIT", "dependencies": { @@ -10965,17 +10939,17 @@ } }, "node_modules/puppeteer": { - "version": "24.43.0", - "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-24.43.0.tgz", - "integrity": "sha512-DRnMFz+J3s4lFUQcjqKl0/7h0jzlCZuUFU9lNjtKrnMl5WI1RwCaIItpHVu9empuPyUreYueN0sUW3/pnfdqsg==", + "version": "24.43.1", + "resolved": "https://registry.npmjs.org/puppeteer/-/puppeteer-24.43.1.tgz", + "integrity": "sha512-/FSOViCrqRdb1HDocpsM9Z1giA71gTQPUt3SpHGVRALKAy/rJr1fLFYZW9F23qPxqVxTHQnbh/5B5opJST3kAw==", "hasInstallScript": true, "license": "Apache-2.0", "dependencies": { - "@puppeteer/browsers": "2.13.1", + "@puppeteer/browsers": "2.13.2", "chromium-bidi": "14.0.0", "cosmiconfig": "^9.0.0", "devtools-protocol": "0.0.1608973", - "puppeteer-core": "24.43.0", + "puppeteer-core": "24.43.1", "typed-query-selector": "^2.12.2" }, "bin": { @@ -10986,12 +10960,12 @@ } }, "node_modules/puppeteer-core": { - "version": "24.43.0", - "resolved": "https://registry.npmjs.org/puppeteer-core/-/puppeteer-core-24.43.0.tgz", - "integrity": "sha512-cCRNXsUlhyPoKDz6+TiSpfZpRS3mD6Y1YFKhkdr6ik6TMfuJb7fAtXq9ThUFc4sphxObDk3BuAvdxc1Y6YOnqQ==", + "version": "24.43.1", + "resolved": "https://registry.npmjs.org/puppeteer-core/-/puppeteer-core-24.43.1.tgz", + "integrity": "sha512-T5ScUMAsmhdNbgDR41AGESYeS6V9MSgetkSnVhhW+gXvzC42VesKCn5ld87gAZDJ6vLHL9GkRvY9WtQWSnwFbw==", "license": "Apache-2.0", "dependencies": { - "@puppeteer/browsers": "2.13.1", + "@puppeteer/browsers": "2.13.2", "chromium-bidi": "14.0.0", "debug": "^4.4.3", "devtools-protocol": "0.0.1608973", @@ -11476,9 +11450,9 @@ } }, "node_modules/semver": { - "version": "7.7.4", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz", - "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==", + "version": "7.8.0", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz", + "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==", "license": "ISC", "bin": { "semver": "bin/semver.js" @@ -13445,9 +13419,9 @@ } }, "node_modules/xlsx-write-stream": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/xlsx-write-stream/-/xlsx-write-stream-1.0.3.tgz", - "integrity": "sha512-HyAJ0oXfyBt/DZ+CJfSZvkxQNgqaSOFv9UPR5wosz1G9LW450KTPrj9lc1WKrwzVM2ItrdhhsSN88ARwYggAhQ==", + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/xlsx-write-stream/-/xlsx-write-stream-1.0.4.tgz", + "integrity": "sha512-ZHpLtZzezUHTx/BI61lrv2dHXHn2YTu1EhmhijLYgEWvu5dweWNQKsXjE5slkkC8bXjVPmN3e6WQ36IpMt0C1w==", "license": "Apache-2.0", "dependencies": { "archiver": "^5.3.0", diff --git a/package.json b/package.json index 7abe71d3ac7..3144b4a3830 100644 --- a/package.json +++ b/package.json @@ -60,13 +60,13 @@ "ejs": "5.0.2", "errorhandler": "1.5.2", "express": "4.22.1", - "express-rate-limit": "8.5.1", + "express-rate-limit": "8.5.2", "express-session": "1.19.0", "form-data": "^4.0.0", "formidable": "2.1.3", "fs-extra": "11.3.5", - "geoip-lite": "2.0.1", - "get-random-values": "^4.0.0", + "geoip-lite": "2.0.2", + "get-random-values": "^5.0.0", "grunt": "1.6.2", "grunt-cli": "1.5.0", "grunt-contrib-concat": "2.1.0", diff --git a/plugins/push/package-lock.json b/plugins/push/package-lock.json index f1fd02d7445..e61d1cee6d8 100644 --- a/plugins/push/package-lock.json +++ b/plugins/push/package-lock.json @@ -244,9 +244,9 @@ "optional": true }, "node_modules/@protobufjs/codegen": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", - "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz", + "integrity": "sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==", "optional": true }, "node_modules/@protobufjs/eventemitter": { @@ -272,9 +272,9 @@ "optional": true }, "node_modules/@protobufjs/inquire": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", - "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.1.tgz", + "integrity": "sha512-mnzgDV26ueAvk7rsbt9L7bE0SuAoqyuys/sMMrmVcN5x9VsxpcG3rqAUSgDyLp0UZlmNfIbQ4fHfCtreVBk8Ew==", "optional": true }, "node_modules/@protobufjs/path": { @@ -290,9 +290,9 @@ "optional": true }, "node_modules/@protobufjs/utf8": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", - "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.1.tgz", + "integrity": "sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==", "optional": true }, "node_modules/@tootallnate/once": { @@ -833,9 +833,9 @@ "optional": true }, "node_modules/fast-xml-builder": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", - "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz", + "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==", "funding": [ { "type": "github", @@ -844,7 +844,8 @@ ], "optional": true, "dependencies": { - "path-expression-matcher": "^1.1.3" + "path-expression-matcher": "^1.5.0", + "xml-naming": "^0.1.0" } }, "node_modules/fast-xml-parser": { @@ -1610,22 +1611,22 @@ } }, "node_modules/protobufjs": { - "version": "7.5.5", - "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.5.tgz", - "integrity": "sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==", + "version": "7.5.8", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.8.tgz", + "integrity": "sha512-dvpCIeLPbXZS/Ete7yLaO7RenOdken2NHKykBXbsaGxZT0UTltcarBciw+A78SRQs9iMAAVpsYA+l8b1hTePIA==", "hasInstallScript": true, "optional": true, "dependencies": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", - "@protobufjs/codegen": "^2.0.4", + "@protobufjs/codegen": "^2.0.5", "@protobufjs/eventemitter": "^1.1.0", "@protobufjs/fetch": "^1.1.0", "@protobufjs/float": "^1.0.2", - "@protobufjs/inquire": "^1.1.0", + "@protobufjs/inquire": "^1.1.1", "@protobufjs/path": "^1.1.2", "@protobufjs/pool": "^1.1.0", - "@protobufjs/utf8": "^1.1.0", + "@protobufjs/utf8": "^1.1.1", "@types/node": ">=13.7.0", "long": "^5.0.0" }, @@ -2027,6 +2028,21 @@ "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" }, + "node_modules/xml-naming": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz", + "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/NaturalIntelligence" + } + ], + "optional": true, + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/y18n": { "version": "5.0.8", "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", @@ -2275,9 +2291,9 @@ "optional": true }, "@protobufjs/codegen": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", - "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz", + "integrity": "sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==", "optional": true }, "@protobufjs/eventemitter": { @@ -2303,9 +2319,9 @@ "optional": true }, "@protobufjs/inquire": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", - "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.1.tgz", + "integrity": "sha512-mnzgDV26ueAvk7rsbt9L7bE0SuAoqyuys/sMMrmVcN5x9VsxpcG3rqAUSgDyLp0UZlmNfIbQ4fHfCtreVBk8Ew==", "optional": true }, "@protobufjs/path": { @@ -2321,9 +2337,9 @@ "optional": true }, "@protobufjs/utf8": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", - "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.1.tgz", + "integrity": "sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==", "optional": true }, "@tootallnate/once": { @@ -2751,12 +2767,13 @@ "optional": true }, "fast-xml-builder": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", - "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz", + "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==", "optional": true, "requires": { - "path-expression-matcher": "^1.1.3" + "path-expression-matcher": "^1.5.0", + "xml-naming": "^0.1.0" } }, "fast-xml-parser": { @@ -3334,21 +3351,21 @@ } }, "protobufjs": { - "version": "7.5.5", - "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.5.tgz", - "integrity": "sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==", + "version": "7.5.8", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.8.tgz", + "integrity": "sha512-dvpCIeLPbXZS/Ete7yLaO7RenOdken2NHKykBXbsaGxZT0UTltcarBciw+A78SRQs9iMAAVpsYA+l8b1hTePIA==", "optional": true, "requires": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", - "@protobufjs/codegen": "^2.0.4", + "@protobufjs/codegen": "^2.0.5", "@protobufjs/eventemitter": "^1.1.0", "@protobufjs/fetch": "^1.1.0", "@protobufjs/float": "^1.0.2", - "@protobufjs/inquire": "^1.1.0", + "@protobufjs/inquire": "^1.1.1", "@protobufjs/path": "^1.1.2", "@protobufjs/pool": "^1.1.0", - "@protobufjs/utf8": "^1.1.0", + "@protobufjs/utf8": "^1.1.1", "@types/node": ">=13.7.0", "long": "^5.0.0" } @@ -3637,6 +3654,12 @@ "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" }, + "xml-naming": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz", + "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==", + "optional": true + }, "y18n": { "version": "5.0.8", "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", diff --git a/plugins/sdk/api/api.js b/plugins/sdk/api/api.js index bf3a3a0c17c..dec9512e3f5 100644 --- a/plugins/sdk/api/api.js +++ b/plugins/sdk/api/api.js @@ -27,7 +27,8 @@ plugins.register("/permissions/features", function(ob) { common.returnOutput(params, config); }) .catch(function(err) { - common.returnMessage(params, 400, 'Error: ' + err); + console.error("Error retrieving SDK config", err); + common.returnMessage(params, 400, 'Error retrieving SDK config'); }) .finally(function() { resolve(); @@ -72,7 +73,8 @@ plugins.register("/permissions/features", function(ob) { common.returnOutput(params, res.config || {}); }) .catch(function(err) { - common.returnMessage(params, 400, 'Error: ' + err); + console.error("Error retrieving SDK config", err); + common.returnMessage(params, 400, 'Error retrieving SDK config'); }); }); diff --git a/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html b/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html index 06e5feddfe9..1d2c334d0c5 100644 --- a/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html +++ b/plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html @@ -88,8 +88,8 @@ <%- inject_template.form %> <% } %>
- - + + diff --git a/plugins/two-factor-auth/frontend/public/templates/setup2fa.html b/plugins/two-factor-auth/frontend/public/templates/setup2fa.html index 54e107e7355..1c05bf28e2e 100644 --- a/plugins/two-factor-auth/frontend/public/templates/setup2fa.html +++ b/plugins/two-factor-auth/frontend/public/templates/setup2fa.html @@ -81,8 +81,8 @@ <% } %>
- - + +
diff --git a/ui-tests/package-lock.json b/ui-tests/package-lock.json index 46f1a96c74b..5117679a160 100644 --- a/ui-tests/package-lock.json +++ b/ui-tests/package-lock.json @@ -24,9 +24,9 @@ } }, "node_modules/@cypress/request": { - "version": "3.0.10", - "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.10.tgz", - "integrity": "sha512-hauBrOdvu08vOsagkZ/Aju5XuiZx6ldsLfByg1htFeldhex+PeMrYauANzFsMJeAA0+dyPLbDoX2OYuvVoLDkQ==", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/@cypress/request/-/request-4.0.0.tgz", + "integrity": "sha512-wGTQfwDMMMiz/muFw4YbCLwTh0uZsXKK+6zWBzftADpitSi6iM62C8GzEhNcng2srUiGPksOriQkA8zakW2R0g==", "license": "Apache-2.0", "dependencies": { "aws-sign2": "~0.7.0", @@ -45,11 +45,10 @@ "qs": "~6.14.1", "safe-buffer": "^5.1.2", "tough-cookie": "^5.0.0", - "tunnel-agent": "^0.6.0", - "uuid": "^8.3.2" + "tunnel-agent": "^0.6.0" }, "engines": { - "node": ">= 6" + "node": ">= 14.17.0" } }, "node_modules/@cypress/xvfb": { @@ -1345,13 +1344,13 @@ } }, "node_modules/cypress": { - "version": "15.14.2", - "resolved": "https://registry.npmjs.org/cypress/-/cypress-15.14.2.tgz", - "integrity": "sha512-xMWg/iEImeIThRQZdnf3BFJT1a84apM/R91Feoa4vVWGuYWDphMT5jLhRVTBVlCgi+6axegF1zqhNyjhug2SsQ==", + "version": "15.15.0", + "resolved": "https://registry.npmjs.org/cypress/-/cypress-15.15.0.tgz", + "integrity": "sha512-N8qBv3AUYn6xfIG73O5O58kTClUBSZ7a3C08IQFkSGTUdEauJ3BqwTFb/f9KPZgadftoZjllC0XSwD7xNNolbA==", "hasInstallScript": true, "license": "MIT", "dependencies": { - "@cypress/request": "^3.0.10", + "@cypress/request": "^4.0.0", "@cypress/xvfb": "^1.2.4", "@types/sinonjs__fake-timers": "8.1.1", "@types/sizzle": "^2.3.2", @@ -1866,9 +1865,9 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz", + "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==", "license": "MIT", "dependencies": { "function-bind": "^1.1.2" @@ -2620,13 +2619,13 @@ } }, "node_modules/side-channel-list": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", - "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz", + "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==", "license": "MIT", "dependencies": { "es-errors": "^1.3.0", - "object-inspect": "^1.13.3" + "object-inspect": "^1.13.4" }, "engines": { "node": ">= 0.4" @@ -2797,9 +2796,9 @@ } }, "node_modules/systeminformation": { - "version": "5.31.1", - "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.31.1.tgz", - "integrity": "sha512-6pRwxoGeV/roJYpsfcP6tN9mep6pPeCtXbUOCdVa0nme05Brwcwdge/fVNhIZn2wuUitAKZm4IYa7QjnRIa9zA==", + "version": "5.31.6", + "resolved": "https://registry.npmjs.org/systeminformation/-/systeminformation-5.31.6.tgz", + "integrity": "sha512-Uv2b2uGGM6ns+26czgW2cYRabYdnswM0ddSOOlryHOaelzsmDSet1iM/NT7VOYxW8x/BW+HkY+b1Ve2pLTSGSA==", "license": "MIT", "os": [ "darwin", @@ -2939,15 +2938,6 @@ "node": ">=8" } }, - "node_modules/uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", - "license": "MIT", - "bin": { - "uuid": "dist/bin/uuid" - } - }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz",