Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
459 commits
Select commit Hold shift + click to select a range
c358ccc
Merge branch 'master' into fix/push-estimate-app-binding
ar2rsawseen Jun 8, 2026
73ce524
Merge pull request #7679 from Countly/fix/push-estimate-app-binding
ar2rsawseen Jun 8, 2026
871b7fb
Merge branch 'master' into fix/dbviewer-event-scope
ar2rsawseen Jun 8, 2026
6d6a365
docs: add hooks custom-code effects to bounty exclusions
ar2rsawseen Jun 8, 2026
9d96c6c
Merge pull request #7676 from Countly/fix/dbviewer-event-scope
ar2rsawseen Jun 8, 2026
062d451
docs: exclude non-default-enabled plugins from bounty scope
ar2rsawseen Jun 8, 2026
7b6cd5a
docs: let non-default plugins fall under the general exclusion clause
ar2rsawseen Jun 8, 2026
95e680a
docs: backtick isolated-vm and capitalize Hooks in exclusion 9
ar2rsawseen Jun 8, 2026
2c25f89
Merge branch 'master' into docs/exclude-hooks-custom-code
ar2rsawseen Jun 8, 2026
e795f64
Merge pull request #7684 from Countly/docs/exclude-hooks-custom-code
ar2rsawseen Jun 8, 2026
2ebbac8
dbviewer: validate aggregation stages at every depth
ar2rsawseen Jun 8, 2026
afc3851
dbviewer: make nested-pipeline sanitization structural, not $facet-sp…
ar2rsawseen Jun 8, 2026
def5c76
dbviewer: block aggregation joins into redacted collections (incl. fo…
ar2rsawseen Jun 8, 2026
26d37be
dbviewer: harden query handling (projection, search term, document sc…
ar2rsawseen Jun 8, 2026
5ebf1d5
dbviewer: place sensitive-collection redaction as the first aggregati…
ar2rsawseen Jun 8, 2026
2be8371
dbviewer: require explicit true in aggregation allow/deny lookups
ar2rsawseen Jun 8, 2026
ed4bd9b
Merge branch 'fix/dbviewer-recursive-agg-guard' into fix/dbviewer-que…
ar2rsawseen Jun 8, 2026
5d8cadd
dbviewer: require explicit true in write-stage lookup too
ar2rsawseen Jun 8, 2026
e7e7b9d
dbviewer: normalize projection to object and restrict values to stric…
ar2rsawseen Jun 8, 2026
7a077b6
dbviewer: block server-side-JS operators in aggregation expressions
ar2rsawseen Jun 8, 2026
ca5ef92
dbviewer: cap result size and stop echoing raw db errors
ar2rsawseen Jun 8, 2026
a7b7726
build(deps): Bump semver from 7.8.2 to 7.8.3
dependabot[bot] Jun 9, 2026
7d2c71d
build(deps): Bump rate-limiter-flexible from 11.1.0 to 11.2.0
dependabot[bot] Jun 9, 2026
b4c81bd
dbviewer: detect protected-collection joins by full deep-walk
ar2rsawseen Jun 9, 2026
7d60b84
Merge branch 'fix/dbviewer-recursive-agg-guard' into fix/dbviewer-que…
ar2rsawseen Jun 9, 2026
5593ae1
dbviewer: detect write stages by full deep-walk too
ar2rsawseen Jun 9, 2026
9d97a16
dbviewer: sanitize nested sub-pipelines structurally, not by $facet name
ar2rsawseen Jun 9, 2026
a7237e4
Merge branch 'master' into claude/funny-thompson-UqmzW
coskunaydinoglu Jun 9, 2026
74f1216
Merge pull request #7689 from Countly/dependabot/npm_and_yarn/rate-li…
ar2rsawseen Jun 9, 2026
ceed46c
Merge branch 'master' into dependabot/npm_and_yarn/semver-7.8.3
ar2rsawseen Jun 9, 2026
85a7823
Merge branch 'master' into fix/dbviewer-query-hardening
ar2rsawseen Jun 9, 2026
ffa7fa6
Merge pull request #7688 from Countly/dependabot/npm_and_yarn/semver-…
ar2rsawseen Jun 9, 2026
2584252
Merge branch 'master' into fix/dbviewer-query-hardening
ar2rsawseen Jun 9, 2026
5b55cb1
Stabilize onboarding populator wait in Cypress flow
Copilot Jun 9, 2026
97d8207
Merge branch 'master' into claude/funny-thompson-UqmzW
can-angun Jun 9, 2026
8058f04
dbviewer: unify aggregation guard into one role-parameterized routine
ar2rsawseen Jun 9, 2026
e1943e8
Merge pull request #7686 from Countly/fix/dbviewer-query-hardening
ar2rsawseen Jun 9, 2026
981d2d1
dbviewer: block cross-db $lookup form in protected-join guard
ar2rsawseen Jun 9, 2026
1c03cc2
dbviewer: return 400 for non-array aggregation; add $graphLookup cros…
ar2rsawseen Jun 9, 2026
3e73bd7
Merge pull request #7692 from Countly/fix/dbviewer-crossdb-lookup
ar2rsawseen Jun 9, 2026
d3d0305
Merge branch 'master' into claude/funny-thompson-UqmzW
coskunaydinoglu Jun 9, 2026
ee5df09
Merge pull request #7669 from Countly/claude/funny-thompson-UqmzW
coskunaydinoglu Jun 9, 2026
e10933c
reject unsafe mongo query operators
ar2rsawseen Jun 9, 2026
e374b6d
Merge pull request #7694 from Countly/fix/reject-unsafe-query-operators
ar2rsawseen Jun 9, 2026
3a0ca6f
Update CHANGELOG.md
coskunaydinoglu Jun 8, 2026
07f4d16
Merge pull request #7675 from Countly/SER-2895-make-journey-result-av…
Cookiezaurs Jun 9, 2026
3824d95
reject unsafe mongo query operators
ar2rsawseen Jun 9, 2026
0d3d9b1
Merge branch 'master' into fix/reject-unsafe-query-operators
ar2rsawseen Jun 9, 2026
cfda12c
docs: use a named/defined variable in the findUnsafeMongoOperator exa…
ar2rsawseen Jun 9, 2026
3831d2b
address review: confirm_delete_all must be explicit true; map too-dee…
ar2rsawseen Jun 9, 2026
d4d7402
build(deps-dev): Bump cypress from 15.16.0 to 15.17.0 in /ui-tests
dependabot[bot] Jun 10, 2026
1d39bf0
build(deps): Bump semver from 7.8.3 to 7.8.4
dependabot[bot] Jun 10, 2026
697f2fe
Merge pull request #7695 from Countly/fix/reject-unsafe-query-operators
ar2rsawseen Jun 10, 2026
0c5ea79
fix(db): preserve operation context and honor ignore_errors on upsert…
ar2rsawseen Jun 10, 2026
13838d7
Merge pull request #7701 from Countly/fix/db-retry-ignore-errors
ar2rsawseen Jun 10, 2026
de6800c
Merge branch 'master' into dependabot/npm_and_yarn/semver-7.8.4
ar2rsawseen Jun 10, 2026
258ae3b
Merge pull request #7700 from Countly/dependabot/npm_and_yarn/semver-…
ar2rsawseen Jun 10, 2026
496e517
reject unsafe operators on /o/slipping
ar2rsawseen Jun 10, 2026
648d28f
slipping: return true on the reject path so the route is marked handled
ar2rsawseen Jun 10, 2026
ad96141
reject unsafe operators on /o/tasks all/count/list
ar2rsawseen Jun 10, 2026
b79cd72
Merge pull request #7702 from Countly/followup/reject-unsafe-slipping
ar2rsawseen Jun 10, 2026
da7f7ea
Validate user queries on remaining read/write endpoints
ar2rsawseen Jun 10, 2026
05ff271
build(deps): Bump nodemailer from 8.0.10 to 8.0.11
dependabot[bot] Jun 11, 2026
301d760
Add happy-path api tests for query-validated endpoints
ar2rsawseen Jun 11, 2026
95ab668
Address review comments
ar2rsawseen Jun 11, 2026
505cdf0
Drop unstable core api tests
ar2rsawseen Jun 11, 2026
0bcc85a
Re-add app_users write tests against a dedicated app
ar2rsawseen Jun 11, 2026
e623e1a
Re-add all_apps happy-path test with required app_id
ar2rsawseen Jun 11, 2026
e3d63db
Merge branch 'master' into followup/reject-unsafe-slipping
ar2rsawseen Jun 11, 2026
f64ff17
Fix app_users update test to use a $set modifier
ar2rsawseen Jun 11, 2026
4e51bb3
Merge pull request #7705 from Countly/followup/reject-unsafe-slipping
ar2rsawseen Jun 11, 2026
9e13b20
Merge branch 'master' into dependabot/npm_and_yarn/ui-tests/cypress-1…
ar2rsawseen Jun 11, 2026
d032a20
Merge pull request #7699 from Countly/dependabot/npm_and_yarn/ui-test…
ar2rsawseen Jun 11, 2026
40b2363
build(deps-dev): Bump sharp from 0.34.5 to 0.35.0 in /ui-tests
dependabot[bot] Jun 11, 2026
5127064
Merge branch 'master' into dependabot/npm_and_yarn/nodemailer-8.0.11
ar2rsawseen Jun 11, 2026
9865a88
Merge pull request #7706 from Countly/dependabot/npm_and_yarn/nodemai…
ar2rsawseen Jun 11, 2026
a7eef47
Merge branch 'master' into dependabot/npm_and_yarn/ui-tests/sharp-0.35.0
ar2rsawseen Jun 11, 2026
9c16d3f
build(deps): Bump sharp from 0.34.5 to 0.35.0
dependabot[bot] Jun 11, 2026
5146925
Merge pull request #7707 from Countly/dependabot/npm_and_yarn/ui-test…
ar2rsawseen Jun 11, 2026
0affa23
Merge branch 'master' into dependabot/npm_and_yarn/sharp-0.35.0
ar2rsawseen Jun 11, 2026
29222f2
Merge pull request #7708 from Countly/dependabot/npm_and_yarn/sharp-0…
ar2rsawseen Jun 11, 2026
b67ba50
docs: exclude additional instances of a vulnerability class already u…
ar2rsawseen Jun 11, 2026
1837c9f
Merge pull request #7709 from Countly/docs/exclude-wip-remediation-in…
ar2rsawseen Jun 11, 2026
9952ace
build(deps-dev): Bump sharp from 0.35.0 to 0.35.1 in /ui-tests
dependabot[bot] Jun 12, 2026
ce34991
build(deps): Bump sharp from 0.35.0 to 0.35.1
dependabot[bot] Jun 12, 2026
081a632
build(deps): Bump sass from 1.100.0 to 1.101.0
dependabot[bot] Jun 12, 2026
a92f9e5
Add script to backfill 'cd' field in eventTimes collections
ar2rsawseen Jun 12, 2026
f155990
fix: declare mongosh globals for ESLint in backfill script
ar2rsawseen Jun 12, 2026
436d6e0
Merge pull request #7715 from Countly/ar2rsawseen-patch-71
ar2rsawseen Jun 12, 2026
cb58aaf
Delete SECURITY_REVIEW_Fortify_2026-06-02.md
ar2rsawseen Jun 12, 2026
70551a8
Merge pull request #7717 from Countly/ar2rsawseen-patch-72
ar2rsawseen Jun 12, 2026
f8a4fc6
Update user property deletion to handle multiple properties
Cookiezaurs Jun 8, 2026
e6baab4
Fix formatting and add newline at end of delete_user_properties.js
Cookiezaurs Jun 8, 2026
1110323
Merge pull request #7680 from Countly/Cookiezaurs-patch-3
Cookiezaurs Jun 12, 2026
126185c
Add property values limit labels to localization
Cookiezaurs Jun 12, 2026
2f0ec49
Merge pull request #7716 from Countly/Cookiezaurs-patch-5
Cookiezaurs Jun 12, 2026
c4d20dd
Update CHANGELOG for version 25.03.47
Cookiezaurs Jun 12, 2026
c3fd0cb
Merge branch 'master' into dependabot/npm_and_yarn/ui-tests/sharp-0.35.1
ar2rsawseen Jun 12, 2026
d540260
Merge pull request #7719 from Countly/Cookiezaurs-patch-6
Cookiezaurs Jun 12, 2026
f9f4d0c
Merge branch 'master' into dependabot/npm_and_yarn/ui-tests/sharp-0.35.1
ar2rsawseen Jun 12, 2026
923883c
Merge pull request #7712 from Countly/dependabot/npm_and_yarn/ui-test…
ar2rsawseen Jun 12, 2026
edd073e
Merge branch 'master' into dependabot/npm_and_yarn/sharp-0.35.1
ar2rsawseen Jun 12, 2026
9fff7e9
Merge pull request #7713 from Countly/dependabot/npm_and_yarn/sharp-0…
ar2rsawseen Jun 12, 2026
bdbe87e
Merge branch 'master' into dependabot/npm_and_yarn/sass-1.101.0
ar2rsawseen Jun 12, 2026
6080fad
Merge pull request #7714 from Countly/dependabot/npm_and_yarn/sass-1.…
ar2rsawseen Jun 12, 2026
bd1d6d5
build(deps): Bump form-data from 4.0.5 to 4.0.6
dependabot[bot] Jun 15, 2026
59e4ec2
hooks: scope global internal events to global-admin hooks; redact mem…
ar2rsawseen Jun 15, 2026
3c6c340
hooks: cache owner lookups, richer log, redact creds on user update/d…
ar2rsawseen Jun 15, 2026
53fefed
hooks: forbid non-global-admins from creating/updating global-event h…
ar2rsawseen Jun 15, 2026
575be7d
Updated the verification for countries page
savascountly Jun 15, 2026
e35e394
fix(ingestion): resolve SDK app by two indexed lookups, not $or
ar2rsawseen Jun 15, 2026
edc2ed6
exports: align /o/export/db with DB Viewer field handling
ar2rsawseen Jun 15, 2026
9b25000
Merge pull request #7720 from Countly/dependabot/npm_and_yarn/form-da…
ar2rsawseen Jun 15, 2026
9a354df
build(deps): Bump nodemailer from 8.0.11 to 9.0.0
dependabot[bot] Jun 15, 2026
6b72286
frontend: build export download view via DOM APIs
ar2rsawseen Jun 15, 2026
c3ef303
Merge branch 'master' into fix/hooks-internal-event-global-scope
ar2rsawseen Jun 15, 2026
408dde5
fix(dbviewer): don't double the app_viewdata prefix for unmapped view…
ar2rsawseen Jun 15, 2026
b729397
Merge pull request #7723 from Countly/fix/hooks-internal-event-global…
ar2rsawseen Jun 15, 2026
de27dce
Merge branch 'master' into fix/dbviewer-viewdata-pretty-name
ar2rsawseen Jun 15, 2026
d0f581e
frontend: set download path per route, drop unreachable branch
ar2rsawseen Jun 15, 2026
2b16a08
exports: coerce collection to string, align denied status, clarify co…
ar2rsawseen Jun 15, 2026
f06816f
Merge pull request #7732 from Countly/fix/dbviewer-viewdata-pretty-name
ar2rsawseen Jun 15, 2026
bc00da0
Merge branch 'master' into fix/ingestion-app-lookup-collscan
ar2rsawseen Jun 15, 2026
09d6ddd
Merge pull request #7724 from Countly/fix/ingestion-app-lookup-collscan
ar2rsawseen Jun 15, 2026
db71657
Merge branch 'master' into refactor/db-export-field-handling
ar2rsawseen Jun 15, 2026
050ec55
compare: scope /o/compare/apps to per-app compare permission
ar2rsawseen Jun 15, 2026
633492b
Merge pull request #7727 from Countly/refactor/db-export-field-handling
ar2rsawseen Jun 15, 2026
9742e4d
Merge branch 'master' into refactor/download-view-rendering
ar2rsawseen Jun 15, 2026
2402456
security(push): bump @grpc/grpc-js 1.11.1 -> 1.11.4
ar2rsawseen Jun 15, 2026
ef3ce01
Merge pull request #7730 from Countly/refactor/download-view-rendering
ar2rsawseen Jun 15, 2026
a176705
Merge branch 'master' into fix/grpc-js-dos-CVE
ar2rsawseen Jun 15, 2026
0ac6b12
Merge branch 'master' into dependabot/npm_and_yarn/nodemailer-9.0.0
ar2rsawseen Jun 15, 2026
49f319f
Merge pull request #7722 from Countly/dependabot/npm_and_yarn/nodemai…
ar2rsawseen Jun 15, 2026
ce55252
scope multi-app and feature endpoints to per-app permission
ar2rsawseen Jun 15, 2026
e358fb5
hooks: validate target apps on /i/hook/test
ar2rsawseen Jun 15, 2026
32419f4
Merge branch 'master' into fix/grpc-js-dos-CVE
ar2rsawseen Jun 15, 2026
affd47d
compare: add per-app permission regression test for /o/compare/apps
ar2rsawseen Jun 15, 2026
5cb2f47
Merge pull request #7736 from Countly/fix/grpc-js-dos-CVE
ar2rsawseen Jun 15, 2026
7490043
address review feedback on multi-app permission scoping
ar2rsawseen Jun 15, 2026
14f53a0
Merge branch 'master' into refactor/compare-apps-permission-scope
ar2rsawseen Jun 15, 2026
45918c8
server-stats: de-duplicate the per-member allowed app list
ar2rsawseen Jun 15, 2026
d8008fe
Merge pull request #7734 from Countly/refactor/compare-apps-permissio…
ar2rsawseen Jun 15, 2026
a95a47f
Merge branch 'master' into refactor/multi-app-permission-scope
ar2rsawseen Jun 15, 2026
3166cf1
docs: clarify XSS reporting requirement in security policy
ar2rsawseen Jun 15, 2026
103e4a5
Merge pull request #7737 from Countly/refactor/multi-app-permission-s…
ar2rsawseen Jun 15, 2026
21c3239
docs: lead XSS exclusion with the out-of-scope condition
ar2rsawseen Jun 15, 2026
47f5049
Merge branch 'master' into docs/security-policy-xss
ar2rsawseen Jun 15, 2026
3867584
Merge pull request #7739 from Countly/docs/security-policy-xss
ar2rsawseen Jun 15, 2026
b4d2921
tests: cover the endpoints touched by per-app permission scoping
ar2rsawseen Jun 15, 2026
2a5661f
tests: assert /o/export/db rejects session store and system index col…
ar2rsawseen Jun 15, 2026
19663fe
Merge branch 'master' into refactor/db-export-field-handling
ar2rsawseen Jun 15, 2026
c96e4b2
fix(push,consolidate): scope operations to the request app
ar2rsawseen Jun 15, 2026
47b6a23
Merge pull request #7744 from Countly/fix/push-consolidate-cross-app-…
ar2rsawseen Jun 15, 2026
7906cc4
Merge branch 'master' into refactor/multi-app-permission-scope
ar2rsawseen Jun 15, 2026
605d39d
tests: assert error body on /o/export/db collection-restriction tests
ar2rsawseen Jun 15, 2026
d682b4e
Merge pull request #7743 from Countly/refactor/multi-app-permission-s…
ar2rsawseen Jun 15, 2026
0bb1cea
Merge branch 'master' into refactor/db-export-field-handling
ar2rsawseen Jun 15, 2026
6f10fc4
Merge pull request #7742 from Countly/refactor/db-export-field-handling
ar2rsawseen Jun 15, 2026
6f233b7
Commented the push verification
savascountly Jun 16, 2026
f71edd9
Commented the push verification
savascountly Jun 16, 2026
fdca9cf
Merge branch 'master' into QT-426
savascountly Jun 16, 2026
7ca5a78
Removed the spaces
savascountly Jun 16, 2026
45cc709
Added the space
savascountly Jun 16, 2026
fcd2720
Merge pull request #7726 from Countly/QT-426
can-angun Jun 16, 2026
b89e914
Fix sensitive params leak in returnRaw error log
coskunaydinoglu Jun 16, 2026
13c4513
Fixed the push verification
savascountly Jun 16, 2026
1c3d758
Updated the code
savascountly Jun 16, 2026
d8bcb65
Merge branch 'master' into security/returnraw-params-log-leak
coskunaydinoglu Jun 16, 2026
39682a6
Added only for the onboarding case
savascountly Jun 16, 2026
72e6cf3
[populator] updated the media urls to pass ssrf protection
Jun 16, 2026
e3b6cc0
Uncomment push notifications navigation and verification
savascountly Jun 16, 2026
24c7e70
Fix formatting in onboarding test navigation
savascountly Jun 17, 2026
7f2ee18
Merge pull request #7750 from Countly/push-populator-data-fix
can-angun Jun 17, 2026
78c07d2
Merge branch 'master' into QT-427
savascountly Jun 17, 2026
dea5b9c
Fix verification of full data page elements
savascountly Jun 17, 2026
de9abc1
Merge pull request #7749 from Countly/QT-427
can-angun Jun 17, 2026
f1d4f8e
Merge branch 'master' into security/returnraw-params-log-leak
mrmeghana Jun 17, 2026
f406bef
Merge pull request #7748 from Countly/security/returnraw-params-log-leak
coskunaydinoglu Jun 17, 2026
d75d3f4
build(deps): Bump @faker-js/faker from 10.4.0 to 10.5.0 in /ui-tests
dependabot[bot] Jun 18, 2026
a3d69b1
build(deps): Bump geoip-lite from 2.0.2 to 2.0.3
dependabot[bot] Jun 18, 2026
f0d586c
Merge pull request #7753 from Countly/dependabot/npm_and_yarn/geoip-l…
ar2rsawseen Jun 18, 2026
704b332
Merge branch 'master' into dependabot/npm_and_yarn/ui-tests/faker-js/…
ar2rsawseen Jun 18, 2026
e9f5335
build(deps-dev): Bump js-yaml in /api/utils/countly-request
dependabot[bot] Jun 18, 2026
8092124
build(deps): Bump form-data from 2.5.5 to 2.5.6 in /plugins/push
dependabot[bot] Jun 18, 2026
60bc199
build(deps): Bump form-data from 4.0.5 to 4.0.6 in /plugins/hooks
dependabot[bot] Jun 18, 2026
dd8a885
build(deps): Bump body-parser from 2.2.2 to 2.3.0
dependabot[bot] Jun 18, 2026
06a79e1
build(deps): Bump nodemailer from 9.0.0 to 9.0.1
dependabot[bot] Jun 18, 2026
54e2fcd
Merge pull request #7751 from Countly/dependabot/npm_and_yarn/ui-test…
ar2rsawseen Jun 18, 2026
4a93a8e
Merge branch 'master' into dependabot/npm_and_yarn/nodemailer-9.0.1
ar2rsawseen Jun 18, 2026
48bfd8e
build(deps): Bump form-data from 4.0.5 to 4.0.6 in /ui-tests
dependabot[bot] Jun 18, 2026
a023cd0
Merge pull request #7752 from Countly/dependabot/npm_and_yarn/nodemai…
ar2rsawseen Jun 18, 2026
6aad354
Merge branch 'master' into dependabot/npm_and_yarn/body-parser-2.3.0
ar2rsawseen Jun 18, 2026
8e9994a
Merge pull request #7746 from Countly/dependabot/npm_and_yarn/body-pa…
ar2rsawseen Jun 18, 2026
31b1f16
build(deps): Bump ws from 8.20.1 to 8.21.0
dependabot[bot] Jun 18, 2026
9025174
Merge branch 'master' into dependabot/npm_and_yarn/api/utils/countly-…
ar2rsawseen Jun 18, 2026
921472b
Merge pull request #7754 from Countly/dependabot/npm_and_yarn/api/uti…
ar2rsawseen Jun 18, 2026
146ba68
Merge branch 'master' into dependabot/npm_and_yarn/ui-tests/form-data…
ar2rsawseen Jun 18, 2026
574a1ed
Merge pull request #7755 from Countly/dependabot/npm_and_yarn/ui-test…
ar2rsawseen Jun 18, 2026
0f54f7b
Merge branch 'master' into dependabot/npm_and_yarn/plugins/push/form-…
ar2rsawseen Jun 18, 2026
269b86d
Merge pull request #7756 from Countly/dependabot/npm_and_yarn/plugins…
ar2rsawseen Jun 18, 2026
c04487f
Merge branch 'master' into dependabot/npm_and_yarn/plugins/hooks/form…
ar2rsawseen Jun 18, 2026
3abab65
Merge pull request #7757 from Countly/dependabot/npm_and_yarn/plugins…
ar2rsawseen Jun 18, 2026
1a13c86
Merge branch 'master' into dependabot/npm_and_yarn/ws-8.21.0
ar2rsawseen Jun 18, 2026
4df8546
Merge pull request #7758 from Countly/dependabot/npm_and_yarn/ws-8.21.0
ar2rsawseen Jun 18, 2026
b0d9770
Update CHANGELOG.md
coskunaydinoglu Jun 19, 2026
000d2f0
Merge pull request #7759 from Countly/journey-engine/updage-changelog…
coskunaydinoglu Jun 19, 2026
0546b96
test(views): reproduce weekly-unique over-count for repeat same-week …
ar2rsawseen Jun 19, 2026
85fcaff
fix(views): stop over-counting weekly unique for repeat same-week views
ar2rsawseen Jun 19, 2026
9f1352f
test(views): relocate weekly-unique test into tests/ dir and url-enco…
ar2rsawseen Jun 19, 2026
2a07cee
test(views): add relocated weekly-unique test + wire into tests/index.js
ar2rsawseen Jun 19, 2026
308bc92
Merge branch 'master' into test/views-weekly-unique-overcount
ar2rsawseen Jun 19, 2026
bd2b391
Merge pull request #7761 from Countly/test/views-weekly-unique-overcount
ar2rsawseen Jun 19, 2026
f845ac1
build(deps): Bump semver from 7.8.4 to 7.8.5
dependabot[bot] Jun 22, 2026
c5146a6
build(deps-dev): Bump lint-staged from 17.0.7 to 17.0.8
dependabot[bot] Jun 22, 2026
daf779e
build(deps): Bump actions/checkout from 6 to 7 in the actions group
dependabot[bot] Jun 22, 2026
ac83f4f
Update CHANGELOG.md
Cookiezaurs Jun 22, 2026
89868e7
Merge pull request #7768 from Countly/Cookiezaurs-patch-7
Cookiezaurs Jun 22, 2026
da1c970
fix(core): don't show no-access / initial-setup page to users who hav…
davidecavaliere Jun 22, 2026
5ad0042
Merge branch 'master' into fix/no-access-stale-route
davidecavaliere Jun 22, 2026
fcd53d3
Merge pull request #7769 from Countly/fix/no-access-stale-route
davidecavaliere Jun 23, 2026
f264706
Update CHANGELOG for version 25.03.48
coskunaydinoglu Jun 23, 2026
33c6ea1
Merge pull request #7771 from Countly/coskunaydinoglu-patch-13
coskunaydinoglu Jun 23, 2026
48beb9b
build(deps-dev): Bump cypress from 15.17.0 to 15.18.0 in /ui-tests
dependabot[bot] Jun 24, 2026
10c0315
Merge pull request #7772 from Countly/dependabot/npm_and_yarn/ui-test…
ar2rsawseen Jun 26, 2026
467be7c
Merge branch 'master' into dependabot/github_actions/actions-640176b5ab
ar2rsawseen Jun 26, 2026
1ebaeaa
build(deps-dev): Bump sharp from 0.35.1 to 0.35.2 in /ui-tests
dependabot[bot] Jun 26, 2026
2f34e06
Merge pull request #7767 from Countly/dependabot/github_actions/actio…
ar2rsawseen Jun 26, 2026
d12e1f2
Merge branch 'master' into dependabot/npm_and_yarn/lint-staged-17.0.8
ar2rsawseen Jun 26, 2026
eb80cd5
Merge pull request #7766 from Countly/dependabot/npm_and_yarn/lint-st…
ar2rsawseen Jun 26, 2026
8a9edb5
Merge branch 'master' into dependabot/npm_and_yarn/semver-7.8.5
ar2rsawseen Jun 26, 2026
d5a88c2
Merge pull request #7765 from Countly/dependabot/npm_and_yarn/semver-…
ar2rsawseen Jun 26, 2026
7ef6769
Merge branch 'master' into dependabot/npm_and_yarn/ui-tests/sharp-0.35.2
ar2rsawseen Jun 26, 2026
4799671
build(deps): Bump sharp from 0.35.1 to 0.35.2
dependabot[bot] Jun 26, 2026
a89ef95
Merge pull request #7764 from Countly/dependabot/npm_and_yarn/ui-test…
ar2rsawseen Jun 26, 2026
105a7da
Merge branch 'master' into dependabot/npm_and_yarn/sharp-0.35.2
ar2rsawseen Jun 26, 2026
b789739
Merge pull request #7763 from Countly/dependabot/npm_and_yarn/sharp-0…
ar2rsawseen Jun 26, 2026
20bfb1a
chore(push): override protobufjs to ^7.6.4 to fix Dependabot alerts
ar2rsawseen Jun 26, 2026
229afc4
Merge branch 'master' into chore/dependabot-protobufjs-override
ar2rsawseen Jun 26, 2026
dfc8de2
Merge pull request #7778 from Countly/chore/dependabot-protobufjs-ove…
ar2rsawseen Jun 26, 2026
ceac20a
[views] Refresh drawer on app changde
Jun 29, 2026
3d8d19f
Merge pull request #7782 from Countly/anna/master
Cookiezaurs Jun 29, 2026
442036e
Update CHANGELOG.md
Cookiezaurs Jun 29, 2026
054f713
docs(changelog): note journey_engine incoming-data double-entry fix
coskunaydinoglu Jun 29, 2026
0e2b10d
docs(changelog): note journey_engine E2E trigger test suite
coskunaydinoglu Jun 29, 2026
5e1d6c8
docs(changelog): move journey_engine test-suite note under Enterprise…
coskunaydinoglu Jun 29, 2026
a1f137d
Merge pull request #7783 from Countly/Cookiezaurs-patch-8
Cookiezaurs Jun 30, 2026
62f0d05
Merge branch 'master' into claude/journey-engine-double-entry-changelog
coskunaydinoglu Jul 2, 2026
38d2e75
Merge pull request #7784 from Countly/claude/journey-engine-double-en…
coskunaydinoglu Jul 2, 2026
56f21b5
journey engine user merge changelog updates
coskunaydinoglu Jul 2, 2026
03ebeb3
Merge pull request #7790 from Countly/journey-engine-user-merge-chang…
coskunaydinoglu Jul 2, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@v7

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:

steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Enable command line
shell: bash
Expand All @@ -45,16 +45,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Log in to Docker Hub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Docker image
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
with:
push: true
file: ./Dockerfile-core
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/docker-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Set output
id: vars
Expand All @@ -26,13 +26,13 @@ jobs:
echo ${{ steps.vars.outputs.tag }}

- name: Log in to Docker Hub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Docker image
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
with:
context: .
push: true
Expand All @@ -43,7 +43,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Set output
id: vars
Expand All @@ -57,13 +57,13 @@ jobs:
echo ${{ steps.vars.outputs.tag }}

- name: Log in to Docker Hub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Docker image
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
with:
push: true
file: ./Dockerfile-api
Expand All @@ -74,7 +74,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Set output
id: vars
Expand All @@ -88,13 +88,13 @@ jobs:
echo ${{ steps.vars.outputs.tag }}

- name: Log in to Docker Hub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Docker image
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
with:
push: true
file: ./Dockerfile-frontend
Expand All @@ -105,7 +105,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@v7

- name: Set output
id: vars
Expand All @@ -119,13 +119,13 @@ jobs:
echo ${{ steps.vars.outputs.tag }}

- name: Log in to Docker Hub
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Docker image
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
with:
push: true
file: ./Dockerfile-core
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Copy code
shell: bash
Expand Down Expand Up @@ -96,7 +96,7 @@ jobs:
COUNTLY_CONFIG_API_PREVENT_JOBS: true

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Copy code
shell: bash
Expand Down Expand Up @@ -157,7 +157,7 @@ jobs:
COUNTLY_CONFIG_API_PREVENT_JOBS: true

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Prepare tests
shell: bash
Expand Down Expand Up @@ -209,7 +209,7 @@ jobs:
COUNTLY_CONFIG_API_PREVENT_JOBS: true

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Copy code
shell: bash
Expand Down Expand Up @@ -273,7 +273,7 @@ jobs:
COUNTLY_CONFIG_API_PREVENT_JOBS: true

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Install Chrome
shell: bash
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stable-je-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:

steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v6
- uses: actions/checkout@v7

- name: Deploy server
shell: bash
Expand Down
35 changes: 35 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,39 @@
## Version 25.03.XX
Fixes:
- [journey_engine] Added user merge handling: running journeys are remapped to the surviving user, keeping the furthest-progressed instance and stopping duplicates
- [views] Refresh drawer on app change


## Version 25.03.48
Fixes:
- [core] Don't show the "no access" or initial-setup page to users who already have app access — redirect them to their default app instead

Enterprise Fixes:
- [journey_engine] Avoid throwing on duplicate events and prevent overwriting existing event map entries during event creation
- [journey_engine] Fixed incoming-data journeys double-entering a user when a single request carried multiple events (e.g. a custom event together with begin_session's session event)

Enterprise Features:
- [block] Allow using regex for event filter
- [journey_engine] Added an end-to-end API test suite covering every trigger type (event/session/crash incoming-data, profile-update, journey-exit, profile-group entry/exit) that delivers in-app content through the queue

## Version 25.03.47
Fixes:
- [content] Bugfixes for content showing
- [core] Improved validation for user passed queries.
- [journey_engine] resut tab made available for running journeys

Enterprise Features:
-[data-manager] Improved user propertly value table to allow filtering all values.

## Version 25.03.46
Fixes:
- Overall security Fixes
- Ensuring Countly working from a network subdirectory

Enterprise Features:
- [active_directory] Journey approver group added
- [ldap] Journey approver group added

## Version 25.03.45
Fixes:
- [core] Accept numeric color in saveNote schema so graph note create/edit no longer fails validation
Expand Down
21 changes: 21 additions & 0 deletions CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,27 @@ countly shellcheck # Validate shell scripts

5. **Never use v-html with user data** in Vue templates.

6. **Validate user-supplied Mongo queries — reject, never strip**. Any query/filter that comes from a request and reaches `find`/`aggregate`/`update`/`delete` must be checked with the `common` helpers at the endpoint where it is first parsed (NOT inside deep helpers or the `/drill/preprocess_query` hook). The query is run exactly as submitted or the request is rejected with `400` — it is never modified.
```javascript
// raw query STRING from a request param → parse + validate in one step
var parsed = common.parseUserQuery(params.qstring.query); // accepts string OR object
if (parsed.error) {
log.d("Rejected user query" + common.reqInfo(params) + ": " + parsed.error);
return common.returnMessage(params, 400, parsed.error);
}
var query = parsed.query; // safe to run as-is

// ALREADY-parsed object — e.g. dbviewer parses with EJSON, or the query is
// nested in a larger saved payload. Validate that parsed object directly:
var parsedQuery = EJSON.parse(params.qstring.filter); // example: already parsed (EJSON / stored doc)
var badOp = common.findUnsafeMongoOperator(parsedQuery);
if (badOp) {
log.d("Rejected user query" + common.reqInfo(params) + ": Query contains disallowed operator: " + badOp);
return common.returnMessage(params, 400, "Query contains disallowed operator: " + badOp);
}
```
`$expr` is allowed; `$where`/`$function`/`$accumulator` are rejected at any depth (including nested inside `$expr`). Log the rejection at the call site using the file's `log` and `common.reqInfo(params)` (which adds the endpoint path/method, without the api_key). Do NOT pass `params` into `parseUserQuery` and do NOT log inside it.

## File Locations

| What | Where |
Expand Down
27 changes: 24 additions & 3 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,28 @@ All software related security bugs with severity of medium and higher will be aw

**Low** - no bounty rewards, does not directly lead to vulnerability, but provides a possibility (like exposing software version, which can be mapped to specific vulnerabilities), old dependencies, server misconfiguration

**Exclusion**
**Exclusions (out of scope — not eligible for bounty)**

Server specific configurations and deployment specific configurations due to on premise nature of our software.
All server configuration related issues will be reported to related departments/parties/companies, but we cannot guarantee any bounty rewards for them.
The following are out of scope. They may still be reported, and configuration issues will be forwarded to the relevant parties, but they do not qualify for a bounty reward:

1. **Deployment & server configuration.** Server-specific and deployment-specific configuration issues, due to the on-premises nature of our software (TLS setup, reverse-proxy/CORS/header configuration, exposed ports, OS/database hardening, rate-limiting tuning, etc.). These are forwarded to the relevant departments/parties/companies but carry no bounty guarantee.

2. **Privileged / admin-only endpoints behaving as designed.** Endpoints intended to be used only by authenticated global administrators or trusted server operators — for example `/mobile-login` and other operator/management endpoints — are not vulnerabilities when they require the privileges they are designed to require. "A global admin can do X across the system" is by design; global admin is a fully trusted role.

3. **By-design cross-app access for global admins.** Plugins and features whose documented purpose is to aggregate or operate on data across multiple applications for global administrators are working as intended. Accessing cross-app data while holding global-admin rights is not a privilege escalation.

4. **Findings that require code already fixed in the current codebase.** Reports reproduced only against an outdated or unpatched running server, demo, or hosted instance — where the issue is already fixed in the current source — are not eligible. Bounty assessment is made against the current code in this repository.

5. **Excluded plugins.** Plugins that are not enabled by default — i.e. not listed in `plugins/plugins.default.json` — are out of scope, since they may be experimental, uncommonly used, or deprecated. In addition, the `consolidate` and `errorlogs` plugins are out of scope even though they are enabled by default.

6. **Reliance on already-privileged access.** Issues that require the attacker to already hold rights equal to or greater than the access obtained (e.g. needing global admin to reach data a global admin already sees), or that depend on knowing a non-enumerable identifier of another tenant that is only ever exposed to authorized users.

7. **Duplicates and already-known issues.** Reports duplicating an already-reported or already-fixed issue; only the first actionable report is eligible.

8. **Theoretical, self-inflicted, or hardening-only issues.** Issues without a working proof of concept, self-inflicted issues (self-XSS, pasting attacker scripts into one's own console/session), and missing best-practice hardening that does not itself lead to an exploit (covered under "Low" above).

9. **Hooks custom-code effects.** The Hooks plugin's custom-code effect runs operator-supplied JavaScript and is being migrated to a stronger isolation model (`isolated-vm`) in an upcoming release, which removes the existing execution surface entirely. Issues that depend on the behaviour of the current custom-code sandbox (for example escaping or abusing the bundled sandbox's built-in helpers) are out of scope. Note that the Hooks plugin already requires an authenticated account with the relevant per-app hooks permission, and the custom-code effect executes code the operator themselves configured.

10. **Instances of a vulnerability class already under active remediation.** Findings that are additional instances of a vulnerability class we are already remediating — including work visible in an open or in-progress pull request, a public branch, or another not-yet-released fix — are considered part of that known, ongoing effort and are not separately eligible. Enumerating sibling occurrences of an issue from our published or in-progress remediation is not an independent discovery. Independently discovered issues remain welcome.

11. **Cross-site scripting (XSS) without a working proof of concept.** XSS reports that do not demonstrate actual script execution in an authenticated dashboard session are out of scope. Pointing at a potential sink (for example a `v-html` binding or a DOM write) is not sufficient on its own, since the value reaching a sink may already be neutralized elsewhere in the request handling or rendering pipeline. XSS with a working end-to-end proof of concept — including DOM-based XSS that originates from the URL or other client-controlled input — is in scope and welcome.
11 changes: 11 additions & 0 deletions api/api.js
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,17 @@ plugins.connectToAllDatabases().then(function() {
key: fs.readFileSync(common.config.api.ssl.key),
cert: fs.readFileSync(common.config.api.ssl.cert)
};
// Optional: let operators pin the negotiated TLS protocol range
// (e.g. minVersion "TLSv1.2"). Left unset by default so Node keeps
// its built-in defaults — deployments that still require older
// protocols, or that terminate TLS at nginx/their webserver, are
// unaffected.
if (common.config.api.ssl.minVersion) {
sslOptions.minVersion = common.config.api.ssl.minVersion;
}
if (common.config.api.ssl.maxVersion) {
sslOptions.maxVersion = common.config.api.ssl.maxVersion;
}
if (common.config.api.ssl.ca) {
sslOptions.ca = fs.readFileSync(common.config.api.ssl.ca);
}
Expand Down
2 changes: 2 additions & 0 deletions api/config.sample.js
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ var countlyConfig = {
key: "/path/to/ssl/private.key",
cert: "/path/to/ssl/certificate.crt",
// ca: "/path/to/ssl/ca_bundle.crt" // Optional: for client certificate verification, uncomment to activate
// minVersion: "TLSv1.2", // Optional: pin the lowest allowed TLS protocol (e.g. "TLSv1.2"). Unset = Node defaults
// maxVersion: "TLSv1.3", // Optional: pin the highest allowed TLS protocol. Unset = Node defaults
}
},
/**
Expand Down
4 changes: 4 additions & 0 deletions api/parts/data/events.js
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,10 @@ function processEvents(appEvents, appSegments, appSgValues, params, omitted_segm
if (segKey === "") {
continue;
}
//skip keys that map to object prototype members when used as field names
if (segKey === "__proto__" || segKey === "constructor" || segKey === "prototype") {
continue;
}

if (pluginsGetConfig.event_segmentation_limit &&
appSegments[currEvent.key] &&
Expand Down
Loading
Loading