sync with master#7792
Merged
Merged
Conversation
push: bind estimate audience endpoint to permission-checked app_id
The hooks custom-code effect runs operator-supplied JavaScript and is being migrated to a stronger isolation model (isolated-vm) in an upcoming release, which removes the current execution surface. Issues depending on the behaviour of the current custom-code sandbox are out of scope going forward. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dbviewer: scope event-data base filter for members without app access
Plugins not listed in plugins/plugins.default.json are not enabled by default and may be experimental, uncommonly used, or deprecated; mark them out of scope generally rather than enumerating each one. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop system-utility and vue-example from the explicit list (they are not in plugins.default.json and are already covered by the general non-default-plugin clause). Keep consolidate and errorlogs explicit since they are enabled by default. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docs: bounty exclusions — hooks custom-code effects + non-default plugins
The aggregation stage allow-list was only applied to the top level of the pipeline. $facet is allowed but carries sub-pipelines that were not inspected, so the allow-list was not enforced consistently inside them. Extract the allow-list and sanitizer into plugins/dbviewer/api/parts/ aggregation_guard.js and apply it recursively, descending into $facet sub-pipelines at every depth (dropping sub-pipelines/stages emptied by sanitization so no empty $facet pipeline is produced). Top-level behaviour is unchanged. Adds unit tests for the recursive handling. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ecific Recurse into any kept stage's sub-pipelines by structure ($facet's sub-pipelines today, plus any stage exposing a .pipeline array) so the guard keeps holding if the allow-list ever gains another pipeline-bearing stage. Adds a test simulating a future allow-listed pipeline-bearing stage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…r admins) The members / auth_tokens redaction is only applied to the top-level source collection, so a join into them (//) returns raw, un-redacted documents (api_key, password, token values). Global admins skip the stage sanitizer, so they could read these via a join even though the top-level redaction intentionally denies them. Detect joins/unions into the redacted collections (members, auth_tokens) at any depth — including sub-pipelines and nested .pipeline arrays — and reject such aggregations on both the admin and non-admin paths. Adds unit tests for top-level, $facet-nested, .pipeline-nested, $unionWith (object and string forms) and $graphLookup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ope, write stages) - restrict find() projections to plain field include/exclude, dropping expression / field-path alias values - treat the _id search term as a literal (escape regex metacharacters) - scope single-document lookups to the caller's apps, like the listing path - reject write stages ($out / $merge) in aggregations on all paths - exclude members.two_factor_auth from viewer output alongside password/api_key Adds unit tests for projection sanitization, search-term escaping and write-stage detection. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…on stage Previously the members/auth_tokens redaction was inserted after any leading $match stages, so a leading $match (e.g. using $expr) could reference the raw credential fields before they were removed. Insert the redaction at the front so no user-supplied stage ever sees the raw password / api_key / two_factor_auth (members) or token _id (auth_tokens). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Use === true (allow-list) and === true (protected-collection set) so inherited Object.prototype keys (constructor, __proto__, …) on a user-controlled stage object are never mistaken for allow-listed/known entries. Adds a regression test for prototype-key stage names. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Consistent with the allow-list / protected-collection hardening: WRITE_STAGES lookup compares === true so inherited Object.prototype keys can't be mistaken for a known write stage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t 0/1
- coerce a projection that parses to null/array (or non-object) to {} before
sanitizing/use, so an invalid projection can't reach find()
- sanitizeProjection now keeps only 0, 1 or booleans; other numbers (2, NaN, …)
are dropped, keeping the projection within valid include/exclude semantics
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The stage allow-list only inspects pipeline stages, and stripUnsafeMongoOperators was applied to the find() filter/sort but not to the aggregation pipeline. So $function / $accumulator / $where could sit inside an allowed stage's expression ($project / $group / $addFields …) and execute server-side JavaScript — reachable on both the admin and non-admin aggregate paths. Deep-scan the whole pipeline (objects/arrays at every depth, including expression values) for these operators and reject the request on both paths, matching how the find() path already strips them. Adds unit tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- cap find() limit and aggregation iDisplayLength at 10000 (NaN-safe), and guard skip, so a crafted page size can't request an unbounded result set - return a generic 500 message (logging the real error server-side) instead of passing raw MongoDB error objects back to the client Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps [semver](https://github.com/npm/node-semver) from 7.8.2 to 7.8.3. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.8.2...v7.8.3) --- updated-dependencies: - dependency-name: semver dependency-version: 7.8.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [rate-limiter-flexible](https://github.com/animir/node-rate-limiter-flexible) from 11.1.0 to 11.2.0. - [Release notes](https://github.com/animir/node-rate-limiter-flexible/releases) - [Commits](animir/node-rate-limiter-flexible@v11.1.0...v11.2.0) --- updated-dependencies: - dependency-name: rate-limiter-flexible dependency-version: 11.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
findProtectedCollectionJoin now walks every nested object/array rather than only $facet sub-pipelines and .pipeline arrays, so a join into a redacted collection smuggled inside any (incl. future) stage shape is still detected. Detection-only, so a blanket deep walk is safe. Adds a test for an arbitrary nested stage shape. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
findWriteStage now walks every nested object/array (like findProtectedCollectionJoin and findServerSideJs), so $out/$merge nested in any future stage shape is still detected. Detection-only, so the blanket deep walk is safe. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The stage sanitizer descended into nested sub-pipelines only for $facet and a .pipeline field. Recognize sub-pipelines by shape instead (an array whose elements are stage objects), so a blocked stage nested in any — including future — pipeline-bearing shape is stripped, while ordinary expression arrays (e.g. $concat operands) are left intact. Adds tests for an arbitrary nested shape and for the expression-array safety case. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…miter-flexible-11.2.0 build(deps): Bump rate-limiter-flexible from 11.1.0 to 11.2.0
Update CHANGELOG for version 25.03.48
Bumps [cypress](https://github.com/cypress-io/cypress) from 15.17.0 to 15.18.0. - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](cypress-io/cypress@v15.17.0...v15.18.0) --- updated-dependencies: - dependency-name: cypress dependency-version: 15.18.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…s/cypress-15.18.0 build(deps-dev): Bump cypress from 15.17.0 to 15.18.0 in /ui-tests
Bumps [sharp](https://github.com/lovell/sharp) from 0.35.1 to 0.35.2. - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](lovell/sharp@v0.35.1...v0.35.2) --- updated-dependencies: - dependency-name: sharp dependency-version: 0.35.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…ns-640176b5ab build(deps): Bump actions/checkout from 6 to 7 in the actions group
…aged-17.0.8 build(deps-dev): Bump lint-staged from 17.0.7 to 17.0.8
…7.8.5 build(deps): Bump semver from 7.8.4 to 7.8.5
Bumps [sharp](https://github.com/lovell/sharp) from 0.35.1 to 0.35.2. - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](lovell/sharp@v0.35.1...v0.35.2) --- updated-dependencies: - dependency-name: sharp dependency-version: 0.35.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…s/sharp-0.35.2 build(deps-dev): Bump sharp from 0.35.1 to 0.35.2 in /ui-tests
….35.2 build(deps): Bump sharp from 0.35.1 to 0.35.2
Bumps the transitive protobufjs dependency (pulled in via firebase-admin -> @google-cloud/firestore -> google-gax/@grpc) from 7.5.x to 7.6.4 through an npm override, resolving: - GHSA high: DoS via unbounded Any expansion during JSON conversion - GHSA medium: schema-derived names can shadow runtime properties Parents require protobufjs ^7, so 7.6.4 is API-compatible. Only protobufjs and its own sub-deps (@protobufjs/*, long) change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rride chore(push): override protobufjs to ^7.6.4 (Dependabot)
[views] Refresh drawer on app change
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01FaAdVCmX2o4Z2WXqezGJLf
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01FaAdVCmX2o4Z2WXqezGJLf
… Features Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01FaAdVCmX2o4Z2WXqezGJLf
Update CHANGELOG.md
…try-changelog Claude/journey engine double entry changelog
…elog-update journey engine user merge changelog updates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.