Merge remote-tracking branch 'origin/master' into upadte-changelog-for-event-with-ampersand-fix

Author: gabrieloliveirapinto

.github/workflows/main.yml

@@ -278,6 +278,13 @@ jobs:
           wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -O /tmp/chrome.deb
           apt install -y /tmp/chrome.deb
 
+      - name: Install Sharp dependencies for image processing
+        shell: bash
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -y
+          apt-get install -y libvips-dev
+
       - name: Copy code
         shell: bash
         run: cp -rf ./* /opt/countly
@@ -331,6 +338,6 @@ jobs:
         working-directory: /opt/countly/ui-tests/cypress
         run: |
           ARTIFACT_ARCHIVE_NAME="$(date '+%Y%m%d-%H.%M')_${GITHUB_REPOSITORY#*/}_CI#${{ github.run_number }}_${{ matrix.test_type }}.tar.gz"
-          mkdir -p screenshots videos
-          tar zcvf "$ARTIFACT_ARCHIVE_NAME" screenshots videos
+          mkdir -p screenshots videos downloads
+          tar zcvf "$ARTIFACT_ARCHIVE_NAME" screenshots videos downloads
           curl -o /tmp/uploader.log -u "${{ secrets.BOX_UPLOAD_AUTH }}" ${{ secrets.BOX_UPLOAD_PATH }} -T "$ARTIFACT_ARCHIVE_NAME"

CHANGELOG.md

@@ -1,6 +1,11 @@
 ## Version 25.03.xx
 Fixes:
 - [push] Fixed timeout setting
+- [security] Fixed injection possibility on res.expose
+
+Enterprise Fixes:
+- [groups] Add logs for user updates
+- [surveys] Change question map log to debug log
 
 Enterprise Fixes:
 - [data-manager] Fixed bug when merging events with ampersand symbol in the name

bin/scripts/device_list/package-lock.json

@@ -438,8 +438,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
         next();
     });
 
-    app.use('*.svg', function(req, res, next) {
-        res.setHeader('Content-Type', 'image/svg+xml; charset=UTF-8');
+    app.use(function(req, res, next) {
+        if (req.path.endsWith('.svg')) {
+            res.setHeader('Content-Type', 'image/svg+xml; charset=UTF-8');
+        }
         next();
     });
 

frontend/express/app.js

@@ -157,7 +157,7 @@ function renderNamespace(str) {
 function renderObject(obj, namespace) {
     return Object.keys(obj).map(function(key) {
         var val = obj[key];
-        return namespace + '["' + key + '"] = ' + string(val) + ';';
+        return namespace + '["' + escape_js_string(key) + '"] = ' + string(val) + ';';
     }).join('\n');
 }
 
@@ -180,61 +180,49 @@ function string(obj) {
     }
     else if ('[object Object]' === Object.prototype.toString.call(obj)) {
         return '{' + Object.keys(obj).map(function(key) {
-            return '"' + key + '":' + string(obj[key]);
+            return '"' + escape_js_string(key) + '":' + string(obj[key]);
         }).join(', ') + '}';
     }
     else {
-        obj = escape_html(JSON.stringify(obj));
+        obj = JSON.stringify(obj);
         if (obj) {
+            // Only escape things that could break out of script context
             obj = obj.replace(/<\/script>/ig, '</scr"+"ipt>');
+            obj = obj.replace(/<!--/g, '<\\!--');
+            obj = obj.replace(/\u2028/g, '\\u2028'); // Line separator
+            obj = obj.replace(/\u2029/g, '\\u2029'); // Paragraph separator
         }
         return obj;
     }
 }
 
-var matchHtmlRegExp = /[<>]/;
-
 /**
-* Escape special characters in the given string of html.
+* Escape special characters that could break JavaScript string context
 *
-* @param  {string} str - The string to escape for inserting into HTML
+* @param  {string} str - The string to escape
 * @return {string} escaped string
 * @public
 */
-function escape_html(str) {
-    str = '' + str;
-    var match = matchHtmlRegExp.exec(str);
-
-    if (!match) {
+function escape_js_string(str) {
+    if (typeof str !== 'string') {
         return str;
     }
 
-    var escape;
-    var html = '';
-    var index = 0;
-    var lastIndex = 0;
-
-    for (index = match.index; index < str.length; index++) {
-        switch (str.charCodeAt(index)) {
-        case 60: // <
-            escape = '&lt;';
-            break;
-        case 62: // >
-            escape = '&gt;';
-            break;
-        default:
-            continue;
-        }
-
-        if (lastIndex !== index) {
-            html += str.substring(lastIndex, index);
-        }
-
-        lastIndex = index + 1;
-        html += escape;
-    }
-
-    return lastIndex !== index ? html + str.substring(lastIndex, index) : html;
+    return str
+        .replace(/\\/g, '\\\\') // Backslash
+        .replace(/"/g, '\\"') // Double quote
+        .replace(/'/g, "\\'") // Single quote
+        .replace(/`/g, '\\`') // Backtick (template literal)
+        .replace(/\$/g, '\\$') // Dollar sign (template literal)
+        .replace(/\n/g, '\\n') // Newline
+        .replace(/\r/g, '\\r') // Carriage return
+        .replace(/\t/g, '\\t') // Tab
+        .replace(/\f/g, '\\f') // Form feed
+        .replace(/\v/g, '\\v') // Vertical tab
+        .replace(/\0/g, '\\0') // Null character
+        .replace(/[\u0000-\u001F\u007F-\u009F]/g, function(ch) {
+            return '\\u' + ('0000' + ch.charCodeAt(0).toString(16)).slice(-4);
+        });
 }
 
 exports = module.exports = function(app) {

frontend/express/libs/express-expose.js

@@ -59,7 +59,7 @@
     "ejs": "3.1.10",
     "errorhandler": "1.5.1",
     "express": "4.21.2",
-    "express-rate-limit": "8.2.0",
+    "express-rate-limit": "8.2.1",
     "express-session": "1.18.2",
     "form-data": "^4.0.0",
     "formidable": "2.1.3",
@@ -92,7 +92,7 @@
     "offline-geocoder": "git+https://github.com/Countly/offline-geocoder.git",
     "properties-parser": "0.6.0",
     "puppeteer": "^24.6.1",
-    "sass": "1.93.2",
+    "sass": "1.93.3",
     "semver": "^7.7.1",
     "sharp": "^0.34.2",
     "sqlite3": "^5.1.7",

package-lock.json

@@ -1,5 +1,13 @@
 const { defineConfig } = require("cypress");
-const fs = require('fs');
+const fs = require("fs");
+const pdfjsLib = require("pdfjs-dist/legacy/build/pdf.js");
+const { PNG } = require("pngjs");
+const sharp = require("sharp");
+
+// Define missing DOMMatrix in Node context (for pdfjs)
+if (typeof global.DOMMatrix === "undefined") {
+    global.DOMMatrix = class DOMMatrix { };
+}
 
 module.exports = defineConfig({
     e2e: {
@@ -14,20 +22,116 @@ module.exports = defineConfig({
         watchForFileChanges: true,
         video: true,
         setupNodeEvents(on, config) {
-            on('after:spec', (spec, results) => {
-                if (results && results.video) {
-                    const failures = results.tests.some((test) =>
-                        test.attempts.some((attempt) => attempt.state === 'failed')
-                    );
-                    if (!failures) {
-                        // delete the video if the spec passed and no tests retried
-                        const videoPath = results.video;
-                        if (fs.existsSync(videoPath)) {
-                            fs.unlinkSync(videoPath);
+            // Task: verify PDF images, logo, and text content
+            on("task", {
+                async verifyPdf({ filePath, options = {} }) {
+                    // options: { referenceLogoPath: string }
+
+                    // Load PDF file
+                    const data = new Uint8Array(fs.readFileSync(filePath));
+                    const pdfDoc = await pdfjsLib.getDocument({ data }).promise;
+
+                    // Import pixelmatch only if logo check is needed
+                    let pixelmatch;
+                    const doLogoCheck = !!options.referenceLogoPath;
+                    if (doLogoCheck) {
+                        const pm = await import("pixelmatch");
+                        pixelmatch = pm.default;
+                    }
+
+                    let hasImage = false;
+                    let logoFound = false;
+                    let extractedText = ""; //store text here
+
+                    // Loop through all pages
+                    for (let p = 1; p <= pdfDoc.numPages; p++) {
+                        const page = await pdfDoc.getPage(p);
+
+                        //Extract text content from page
+                        const textContent = await page.getTextContent();
+                        const pageText = textContent.items.map((item) => item.str).join(" ");
+                        extractedText += pageText + "\n";
+
+                        //Check for image operators
+                        const ops = await page.getOperatorList();
+
+                        for (let i = 0; i < ops.fnArray.length; i++) {
+                            const fn = ops.fnArray[i];
+                            const args = ops.argsArray[i];
+
+                            if (
+                                fn === pdfjsLib.OPS.paintImageXObject ||
+                                fn === pdfjsLib.OPS.paintJpegXObject ||
+                                fn === pdfjsLib.OPS.paintInlineImageXObject
+                            ) {
+                                hasImage = true;
+
+                                if (doLogoCheck && args[0]) {
+                                    const objName = args[0];
+                                    const imgData = await page.objs.get(objName);
+                                    if (!imgData) {
+                                        continue;
+                                    }
+
+                                    const pdfImg = new PNG({ width: imgData.width, height: imgData.height });
+                                    pdfImg.data = imgData.data;
+
+                                    const pdfBuffer = PNG.sync.write(pdfImg);
+                                    const refLogo = PNG.sync.read(fs.readFileSync(options.referenceLogoPath));
+
+                                    const resizedPdfBuffer = await sharp(pdfBuffer)
+                                        .resize(refLogo.width, refLogo.height)
+                                        .png()
+                                        .toBuffer();
+
+                                    const resizedPdfImg = PNG.sync.read(resizedPdfBuffer);
+
+                                    const diff = new PNG({ width: refLogo.width, height: refLogo.height });
+                                    const mismatched = pixelmatch(
+                                        refLogo.data,
+                                        resizedPdfImg.data,
+                                        diff.data,
+                                        refLogo.width,
+                                        refLogo.height,
+                                        { threshold: 0.1 }
+                                    );
+
+                                    if (mismatched === 0) {
+                                        logoFound = true;
+                                        break;
+                                    }
+                                }
+                            }
                         }
+
+                        if ((doLogoCheck && logoFound) || (!doLogoCheck && hasImage)) {
+                            break;
+                        }
+                    }
+
+                    if (doLogoCheck && !logoFound) {
+                        throw new Error("Logo in PDF does not match reference image");
+                    }
+
+                    //Return with extracted text
+                    return {
+                        hasImage,
+                        logoFound,
+                        text: extractedText,
+                        numPages: pdfDoc.numPages
+                    };
+                },
+            });
+
+            on("after:spec", (spec, results) => {
+                if (results?.video) {
+                    const hasFailures = results.tests.some((t) => t.attempts.some((a) => a.state === "failed"));
+                    if (!hasFailures && fs.existsSync(results.video)) {
+                        fs.unlinkSync(results.video);
                     }
                 }
             });
+
             on("before:browser:launch", (browser, launchOptions) => {
                 if (["chrome", "edge", "electron"].includes(browser.name)) {
                     if (browser.isHeadless) {
@@ -42,6 +146,4 @@ module.exports = defineConfig({
             });
         },
     },
-});
-
-
+});