Skip to content

Sync master flex#7793

Merged
frknbasaran merged 462 commits into
flexfrom
sync-master-flex
Jul 3, 2026
Merged

Sync master flex#7793
frknbasaran merged 462 commits into
flexfrom
sync-master-flex

Conversation

@frknbasaran

Copy link
Copy Markdown
Member

No description provided.

ar2rsawseen and others added 30 commits June 8, 2026 20:11
The hooks custom-code effect runs operator-supplied JavaScript and is being
migrated to a stronger isolation model (isolated-vm) in an upcoming release,
which removes the current execution surface. Issues depending on the behaviour
of the current custom-code sandbox are out of scope going forward.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dbviewer: scope event-data base filter for members without app access
Plugins not listed in plugins/plugins.default.json are not enabled by default
and may be experimental, uncommonly used, or deprecated; mark them out of scope
generally rather than enumerating each one.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop system-utility and vue-example from the explicit list (they are not in
plugins.default.json and are already covered by the general non-default-plugin
clause). Keep consolidate and errorlogs explicit since they are enabled by
default.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docs: bounty exclusions — hooks custom-code effects + non-default plugins
The aggregation stage allow-list was only applied to the top level of the
pipeline. $facet is allowed but carries sub-pipelines that were not inspected,
so the allow-list was not enforced consistently inside them.

Extract the allow-list and sanitizer into plugins/dbviewer/api/parts/
aggregation_guard.js and apply it recursively, descending into $facet
sub-pipelines at every depth (dropping sub-pipelines/stages emptied by
sanitization so no empty $facet pipeline is produced). Top-level behaviour is
unchanged. Adds unit tests for the recursive handling.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ecific

Recurse into any kept stage's sub-pipelines by structure ($facet's
sub-pipelines today, plus any stage exposing a .pipeline array) so the guard
keeps holding if the allow-list ever gains another pipeline-bearing stage.
Adds a test simulating a future allow-listed pipeline-bearing stage.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…r admins)

The members / auth_tokens redaction is only applied to the top-level source
collection, so a join into them (//) returns raw,
un-redacted documents (api_key, password, token values). Global admins skip
the stage sanitizer, so they could read these via a join even though the
top-level redaction intentionally denies them.

Detect joins/unions into the redacted collections (members, auth_tokens) at
any depth — including  sub-pipelines and nested .pipeline arrays — and
reject such aggregations on both the admin and non-admin paths. Adds unit
tests for top-level, $facet-nested, .pipeline-nested, $unionWith (object and
string forms) and $graphLookup.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ope, write stages)

- restrict find() projections to plain field include/exclude, dropping
  expression / field-path alias values
- treat the _id search term as a literal (escape regex metacharacters)
- scope single-document lookups to the caller's apps, like the listing path
- reject write stages ($out / $merge) in aggregations on all paths
- exclude members.two_factor_auth from viewer output alongside password/api_key

Adds unit tests for projection sanitization, search-term escaping and
write-stage detection.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…on stage

Previously the members/auth_tokens redaction was inserted after any leading
$match stages, so a leading $match (e.g. using $expr) could reference the raw
credential fields before they were removed. Insert the redaction at the front
so no user-supplied stage ever sees the raw password / api_key / two_factor_auth
(members) or token _id (auth_tokens).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Use === true (allow-list) and === true (protected-collection set) so inherited
Object.prototype keys (constructor, __proto__, …) on a user-controlled stage
object are never mistaken for allow-listed/known entries. Adds a regression
test for prototype-key stage names.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Consistent with the allow-list / protected-collection hardening: WRITE_STAGES
lookup compares === true so inherited Object.prototype keys can't be mistaken
for a known write stage.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t 0/1

- coerce a projection that parses to null/array (or non-object) to {} before
  sanitizing/use, so an invalid projection can't reach find()
- sanitizeProjection now keeps only 0, 1 or booleans; other numbers (2, NaN, …)
  are dropped, keeping the projection within valid include/exclude semantics

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The stage allow-list only inspects pipeline stages, and stripUnsafeMongoOperators
was applied to the find() filter/sort but not to the aggregation pipeline. So
$function / $accumulator / $where could sit inside an allowed stage's
expression ($project / $group / $addFields …) and execute server-side
JavaScript — reachable on both the admin and non-admin aggregate paths.

Deep-scan the whole pipeline (objects/arrays at every depth, including
expression values) for these operators and reject the request on both paths,
matching how the find() path already strips them. Adds unit tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- cap find() limit and aggregation iDisplayLength at 10000 (NaN-safe), and
  guard skip, so a crafted page size can't request an unbounded result set
- return a generic 500 message (logging the real error server-side) instead of
  passing raw MongoDB error objects back to the client

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps [semver](https://github.com/npm/node-semver) from 7.8.2 to 7.8.3.
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.8.2...v7.8.3)

---
updated-dependencies:
- dependency-name: semver
  dependency-version: 7.8.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [rate-limiter-flexible](https://github.com/animir/node-rate-limiter-flexible) from 11.1.0 to 11.2.0.
- [Release notes](https://github.com/animir/node-rate-limiter-flexible/releases)
- [Commits](animir/node-rate-limiter-flexible@v11.1.0...v11.2.0)

---
updated-dependencies:
- dependency-name: rate-limiter-flexible
  dependency-version: 11.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
findProtectedCollectionJoin now walks every nested object/array rather than
only $facet sub-pipelines and .pipeline arrays, so a join into a redacted
collection smuggled inside any (incl. future) stage shape is still detected.
Detection-only, so a blanket deep walk is safe. Adds a test for an arbitrary
nested stage shape.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
findWriteStage now walks every nested object/array (like findProtectedCollectionJoin
and findServerSideJs), so $out/$merge nested in any future stage shape is still
detected. Detection-only, so the blanket deep walk is safe.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The stage sanitizer descended into nested sub-pipelines only for $facet and a
.pipeline field. Recognize sub-pipelines by shape instead (an array whose
elements are stage objects), so a blocked stage nested in any — including
future — pipeline-bearing shape is stripped, while ordinary expression arrays
(e.g. $concat operands) are left intact. Adds tests for an arbitrary nested
shape and for the expression-array safety case.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…miter-flexible-11.2.0

build(deps): Bump rate-limiter-flexible from 11.1.0 to 11.2.0
…7.8.3

build(deps): Bump semver from 7.8.2 to 7.8.3
ar2rsawseen and others added 24 commits June 26, 2026 14:21
…aged-17.0.8

build(deps-dev): Bump lint-staged from 17.0.7 to 17.0.8
…7.8.5

build(deps): Bump semver from 7.8.4 to 7.8.5
Bumps [sharp](https://github.com/lovell/sharp) from 0.35.1 to 0.35.2.
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](lovell/sharp@v0.35.1...v0.35.2)

---
updated-dependencies:
- dependency-name: sharp
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
…s/sharp-0.35.2

build(deps-dev): Bump sharp from 0.35.1 to 0.35.2 in /ui-tests
….35.2

build(deps): Bump sharp from 0.35.1 to 0.35.2
Bumps the transitive protobufjs dependency (pulled in via
firebase-admin -> @google-cloud/firestore -> google-gax/@grpc)
from 7.5.x to 7.6.4 through an npm override, resolving:

- GHSA high: DoS via unbounded Any expansion during JSON conversion
- GHSA medium: schema-derived names can shadow runtime properties

Parents require protobufjs ^7, so 7.6.4 is API-compatible. Only
protobufjs and its own sub-deps (@protobufjs/*, long) change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…rride

chore(push): override protobufjs to ^7.6.4 (Dependabot)
[views] Refresh drawer on app change
… Features

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FaAdVCmX2o4Z2WXqezGJLf
…try-changelog

Claude/journey engine double entry changelog
…elog-update

journey engine user merge changelog updates
@frknbasaran frknbasaran enabled auto-merge July 3, 2026 09:37
@frknbasaran frknbasaran disabled auto-merge July 3, 2026 10:34
@frknbasaran frknbasaran merged commit 15299d9 into flex Jul 3, 2026
4 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants