Merge branch 'master' into QT-344

Author: can-angun

CHANGELOG.md

@@ -1,6 +1,11 @@
 ## Version 25.03.xx
 Fixes:
 - [push] Fixed timeout setting
+- [security] Fixed injection possibility on res.expose
+
+Enterprise Fixes:
+- [groups] Add logs for user updates
+- [surveys] Change question map log to debug log
 
 Dependencies:
 - Bump axios from 1.12.2 to 1.13.1 in /plugins/cognito

frontend/express/app.js

@@ -438,8 +438,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
         next();
     });
 
-    app.use('*.svg', function(req, res, next) {
-        res.setHeader('Content-Type', 'image/svg+xml; charset=UTF-8');
+    app.use(function(req, res, next) {
+        if (req.path.endsWith('.svg')) {
+            res.setHeader('Content-Type', 'image/svg+xml; charset=UTF-8');
+        }
         next();
     });
 

frontend/express/libs/express-expose.js

@@ -157,7 +157,7 @@ function renderNamespace(str) {
 function renderObject(obj, namespace) {
     return Object.keys(obj).map(function(key) {
         var val = obj[key];
-        return namespace + '["' + key + '"] = ' + string(val) + ';';
+        return namespace + '["' + escape_js_string(key) + '"] = ' + string(val) + ';';
     }).join('\n');
 }
 
@@ -180,61 +180,49 @@ function string(obj) {
     }
     else if ('[object Object]' === Object.prototype.toString.call(obj)) {
         return '{' + Object.keys(obj).map(function(key) {
-            return '"' + key + '":' + string(obj[key]);
+            return '"' + escape_js_string(key) + '":' + string(obj[key]);
         }).join(', ') + '}';
     }
     else {
-        obj = escape_html(JSON.stringify(obj));
+        obj = JSON.stringify(obj);
         if (obj) {
+            // Only escape things that could break out of script context
             obj = obj.replace(/<\/script>/ig, '</scr"+"ipt>');
+            obj = obj.replace(/<!--/g, '<\\!--');
+            obj = obj.replace(/\u2028/g, '\\u2028'); // Line separator
+            obj = obj.replace(/\u2029/g, '\\u2029'); // Paragraph separator
         }
         return obj;
     }
 }
 
-var matchHtmlRegExp = /[<>]/;
-
 /**
-* Escape special characters in the given string of html.
+* Escape special characters that could break JavaScript string context
 *
-* @param  {string} str - The string to escape for inserting into HTML
+* @param  {string} str - The string to escape
 * @return {string} escaped string
 * @public
 */
-function escape_html(str) {
-    str = '' + str;
-    var match = matchHtmlRegExp.exec(str);
-
-    if (!match) {
+function escape_js_string(str) {
+    if (typeof str !== 'string') {
         return str;
     }
 
-    var escape;
-    var html = '';
-    var index = 0;
-    var lastIndex = 0;
-
-    for (index = match.index; index < str.length; index++) {
-        switch (str.charCodeAt(index)) {
-        case 60: // <
-            escape = '&lt;';
-            break;
-        case 62: // >
-            escape = '&gt;';
-            break;
-        default:
-            continue;
-        }
-
-        if (lastIndex !== index) {
-            html += str.substring(lastIndex, index);
-        }
-
-        lastIndex = index + 1;
-        html += escape;
-    }
-
-    return lastIndex !== index ? html + str.substring(lastIndex, index) : html;
+    return str
+        .replace(/\\/g, '\\\\') // Backslash
+        .replace(/"/g, '\\"') // Double quote
+        .replace(/'/g, "\\'") // Single quote
+        .replace(/`/g, '\\`') // Backtick (template literal)
+        .replace(/\$/g, '\\$') // Dollar sign (template literal)
+        .replace(/\n/g, '\\n') // Newline
+        .replace(/\r/g, '\\r') // Carriage return
+        .replace(/\t/g, '\\t') // Tab
+        .replace(/\f/g, '\\f') // Form feed
+        .replace(/\v/g, '\\v') // Vertical tab
+        .replace(/\0/g, '\\0') // Null character
+        .replace(/[\u0000-\u001F\u007F-\u009F]/g, function(ch) {
+            return '\\u' + ('0000' + ch.charCodeAt(0).toString(16)).slice(-4);
+        });
 }
 
 exports = module.exports = function(app) {

package-lock.json

@@ -59,7 +59,7 @@
     "ejs": "3.1.10",
     "errorhandler": "1.5.1",
     "express": "4.21.2",
-    "express-rate-limit": "8.2.0",
+    "express-rate-limit": "8.2.1",
     "express-session": "1.18.2",
     "form-data": "^4.0.0",
     "formidable": "2.1.3",
@@ -92,7 +92,7 @@
     "offline-geocoder": "git+https://github.com/Countly/offline-geocoder.git",
     "properties-parser": "0.6.0",
     "puppeteer": "^24.6.1",
-    "sass": "1.93.2",
+    "sass": "1.93.3",
     "semver": "^7.7.1",
     "sharp": "^0.34.2",
     "sqlite3": "^5.1.7",