From 25.03.29

.github/workflows/main.yml

@@ -247,6 +247,7 @@ jobs:
     runs-on: ubuntu-latest
 
     strategy:
+      fail-fast: false
       matrix:
         test_type: [dashboard, onboarding]
 
@@ -338,6 +339,11 @@ jobs:
         working-directory: /opt/countly/ui-tests/cypress
         run: |
           ARTIFACT_ARCHIVE_NAME="$(date '+%Y%m%d-%H.%M')_${GITHUB_REPOSITORY#*/}_CI#${{ github.run_number }}_${{ matrix.test_type }}.tar.gz"
+
           mkdir -p screenshots videos downloads
-          tar zcvf "$ARTIFACT_ARCHIVE_NAME" screenshots videos downloads
+          find screenshots videos downloads -type d -empty -delete
+
+          TAR_TARGETS=$(ls -d screenshots videos downloads 2>/dev/null || true)
+
+          tar zcvf "$ARTIFACT_ARCHIVE_NAME" $TAR_TARGETS
           curl -o /tmp/uploader.log -u "${{ secrets.BOX_UPLOAD_AUTH }}" ${{ secrets.BOX_UPLOAD_PATH }} -T "$ARTIFACT_ARCHIVE_NAME"

CHANGELOG.md

@@ -1,3 +1,15 @@
+## Version 25.03.29
+Fixes:
+- [core] Do not output password in logs on mongodb connection initialisation error
+- [core] Hide error details on render error from response
+- [dashboards] Do not show error if request is cancelled.
+- [dbviewer] Hide api_key from requests
+- [events] Do not throw error in UI on returned group data if there is no segmentation set
+
+Enterprise Fixes:
+- [drill] Fixed timeline recalculation
+- [surveys] Do not fetch survey meta data if plugin is disabled
+
 ## Version 25.03.28
 Fixes:
 - [alerts] Add alert interval validation in the frontend

api/configextender.js

@@ -53,7 +53,12 @@ const OVERRIDES = {
             CA: 'ca',
         },
     },
-
+    COOKIE: {
+        SAMESITE: 'sameSite',
+        HTTPONLY: 'httpOnly',
+        MAXAGE: 'maxAge',
+        MAXAGELOGIN: 'maxAgeLogin',
+    },
     MAIL: {
         CONFIG: {
             IGNORETLS: "ignoreTLS"

api/jobs/ping.js

@@ -51,7 +51,7 @@ class PingJob extends job.Job {
 
                 if (days > 0) {
                     //calculate seconds timestamp of days before today
-                    var startTs = Math.round((new Date().getTime() - (30 * 24 * 60 * 60 * 1000)) / 1000);
+                    var startTs = Math.round((new Date().getTime() - (days * 24 * 60 * 60 * 1000)) / 1000);
 
                     //sync server events - use aggregation pipeline to group by day and action on MongoDB side
                     var aggregationPipeline = [

api/parts/mgmt/tracker.js

@@ -249,6 +249,13 @@ tracker.collectServerData = async function() {
         edition = "Enterprise";
     }
     props.edition = edition;
+    props.hosting = "self-hosted";
+    if (props.edition === "Flex") {
+        props.hosting = "flex";
+    }
+    else if (props.plugins.includes("tracker")) {
+        props.hosting = "countly-hosted";
+    }
     if (common.db.build && common.db.build.version) {
         props.mongodb = common.db.build.version;
     }

api/parts/mgmt/users.js

@@ -861,6 +861,9 @@ usersApi.checkNoteEditPermission = async function(params) {
                     if (error) {
                         return reject(false);
                     }
+                    if (!note) {
+                        return resolve(false);
+                    }
                     const globalAdmin = params.member.global_admin;
                     const isAppAdmin = hasAdminAccess(params.member, params.qstring.app_id);
                     const noteOwner = (note.owner + '' === params.member._id + '');

api/utils/common.js

@@ -1071,7 +1071,7 @@ common.validateArgs = function(args, argProperties, returnErrors) {
             }
 
             if (argProperties[arg]['max-length']) {
-                if (args[arg].length > argProperties[arg]['max-length']) {
+                if (args[arg] && args[arg].length > argProperties[arg]['max-length']) {
                     if (returnErrors) {
                         returnObj.errors.push("Length of " + arg + " is greater than max length value");
                         returnObj.result = false;
@@ -1084,7 +1084,7 @@ common.validateArgs = function(args, argProperties, returnErrors) {
             }
 
             if (argProperties[arg]['min-length']) {
-                if (args[arg].length < argProperties[arg]['min-length']) {
+                if (args[arg] && args[arg].length < argProperties[arg]['min-length']) {
                     if (returnErrors) {
                         returnObj.errors.push("Length of " + arg + " is lower than min length value");
                         returnObj.result = false;

api/utils/requestProcessor.js

@@ -392,7 +392,7 @@ const processRequest = (params) => {
                             options.token = token;
                             render.renderView(options, function(err3) {
                                 if (err3) {
-                                    common.returnMessage(params, 400, 'Error creating screenshot: ' + err3);
+                                    common.returnMessage(params, 400, 'Error creating screenshot. Please check logs for more information.');
                                     return false;
                                 }
                                 common.returnOutput(params, {path: common.config.path + "/images/screenshots/" + imageName});

frontend/express/public/core/events/javascripts/countly.details.models.js

@@ -381,7 +381,7 @@
         },
         getSegments: function(context, res) {
             var segments = [];
-            if (res.meta && res.meta.segments.length > 0) {
+            if (res.meta && res.meta.segments && Array.isArray(res.meta.segments) && res.meta.segments.length > 0) {
                 segments = res.meta.segments.slice();
                 context.commit('setHasSegments', true);
             }

plugins/alerts/api/api.js

@@ -193,6 +193,10 @@ const PERIOD_TO_TEXT_EXPRESSION_MAPPER = {
 
         validateCreate(params, FEATURE_NAME, function() {
             let alertConfig = params.qstring.alert_config;
+            if (!alertConfig) {
+                common.returnMessage(params, 400, 'Missing alert_config');
+                return;
+            }
             try {
                 alertConfig = JSON.parse(alertConfig);
                 var checkProps = {

plugins/compliance-hub/api/api.js

@@ -136,7 +136,7 @@ const FEATURE_NAME = 'compliance_hub';
         case 'current': {
             if (!params.qstring.app_id) {
                 common.returnMessage(params, 400, 'Missing parameter "app_id"');
-                return false;
+                return true;
             }
             validateRead(params, FEATURE_NAME, function() {
                 var query = params.qstring.query || {};
@@ -157,7 +157,7 @@ const FEATURE_NAME = 'compliance_hub';
         case 'search': {
             if (!params.qstring.app_id) {
                 common.returnMessage(params, 400, 'Missing parameter "app_id"');
-                return false;
+                return true;
             }
             validateRead(params, FEATURE_NAME, function() {
                 var query = params.qstring.query || {};
@@ -279,7 +279,7 @@ const FEATURE_NAME = 'compliance_hub';
         case 'consents': {
             if (!params.qstring.app_id) {
                 common.returnMessage(params, 400, 'Missing parameter "app_id"');
-                return false;
+                return true;
             }
             validateRead(params, FEATURE_NAME, function() {
                 appUsers.count(params.qstring.app_id, {}, function(err, total) {

plugins/dashboards/frontend/public/javascripts/countly.models.js

@@ -2,6 +2,13 @@
 
 (function(countlyDashboards) {
 
+    var isRequestCancelled = function(e) {
+        var isCancelled = false;
+        if (e && e.statusText === "abort") {
+            isCancelled = true;
+        }
+        return isCancelled;
+    };
     countlyDashboards.factory = {
         dashboards: {
             getEmpty: function() {
@@ -66,6 +73,9 @@
                 }, {disableAutoCatch: true});
             },
             get: function(dashboardId, isRefresh) {
+                if (!dashboardId) {
+                    return Promise.resolve(null);
+                }
                 return CV.$.ajax({
                     type: "GET",
                     url: countlyCommon.API_PARTS.data.r + "/dashboards",
@@ -643,11 +653,16 @@
 
                     return dashbaord;
                 }).catch(function(e) {
-                    log(e);
-                    CountlyHelpers.notify({
-                        message: "Something went wrong while fetching the dashbaord!",
-                        type: "error"
-                    });
+                    if (!isRequestCancelled(e)) {
+                        log(e);
+                        CountlyHelpers.notify({
+                            message: "Something went wrong while fetching the dashbaord!",
+                            type: "error"
+                        });
+                    }
+                    else {
+                        log("Request cancelled: " + e);
+                    }
 
                     return false;
                 });

plugins/dbviewer/api/api.js

@@ -152,10 +152,12 @@ var spawn = require('child_process').spawn,
         **/
         function getIndexes() {
             dbs[dbNameOnParam].collection(params.qstring.collection).indexes(function(err, indexes) {
-                if (err) {
-                    common.returnOutput(params, 'Somethings went wrong');
+                if (err || !indexes) {
+                    common.returnOutput(params, 'Failed to retrieve indexes for the collection');
+                }
+                else {
+                    common.returnOutput(params, { limit: indexes.length, start: 1, end: indexes.length, total: indexes.length, pages: 1, curPage: 1, collections: indexes });
                 }
-                common.returnOutput(params, { limit: indexes.length, start: 1, end: indexes.length, total: indexes.length, pages: 1, curPage: 1, collections: indexes });
             });
         }
 

plugins/dbviewer/frontend/public/javascripts/countly.views.js

@@ -250,7 +250,6 @@
                         sort = JSON.stringify(this.preparedSortObject);
                     }
                     var apiQueryData = {
-                        api_key: countlyGlobal.member.api_key,
                         app_id: countlyCommon.ACTIVE_APP_ID,
                         //filename: "DBViewer" + moment().format("DD-MMM-YYYY"), - using passed filename from form
                         projection: JSON.stringify(this.preparedProjectionFields),
@@ -303,7 +302,7 @@
             },
             computed: {
                 dbviewerAPIEndpoint: function() {
-                    var url = '/db?api_key=' + countlyGlobal.member.api_key + '&app_id=' + countlyCommon.ACTIVE_APP_ID + '&dbs=' + this.localDb + '&collection=' + this.localCollection;
+                    var url = '/db?app_id=' + countlyCommon.ACTIVE_APP_ID + '&dbs=' + this.localDb + '&collection=' + this.localCollection;
                     if (this.queryFilter) {
                         url += '&filter=' + encodeURIComponent(this.queryFilter);
                     }

plugins/pluginManager.js

@@ -1979,10 +1979,19 @@ var pluginManager = function pluginManager() {
             await client.connect();
         }
         catch (ex) {
+            var safeDbName = dbName;
+            var start = dbName.indexOf("://") + 3;
+            var end = dbName.indexOf("@", start);
+            if (end > -1 && start > 3) {
+                var middle = dbName.indexOf(":", start);
+                if (middle > -1 && middle < end) {
+                    safeDbName = dbName.substring(0, middle) + ":*****" + dbName.substring(end);
+                }
+            }
             logDbRead.e("Error connecting to database", ex);
             logDbRead.e("With params %j", {
                 db: db_name,
-                connection: dbName,
+                connection: safeDbName,
                 options: dbOptions
             });
             //exit to retry to reconnect on restart

plugins/reports/api/api.js

@@ -94,6 +94,8 @@ const FEATURE_NAME = 'reports';
             }
             catch (SyntaxError) {
                 console.log('Parse ' + paramsInstance.qstring.args + ' JSON failed');
+                common.returnMessage(paramsInstance, 400, 'Invalid JSON in args');
+                return true;
             }
         }
 
@@ -218,6 +220,8 @@ const FEATURE_NAME = 'reports';
             }
             catch (SyntaxError) {
                 console.log('Parse ' + paramsInstance.qstring.args + ' JSON failed');
+                common.returnMessage(paramsInstance, 400, 'Invalid JSON in args');
+                return true;
             }
         }
         const recordUpdateOrDeleteQuery = function(params, recordID) {
@@ -254,18 +258,22 @@ const FEATURE_NAME = 'reports';
 
                 convertToTimezone(props);
 
-                // TODO: handle report type check
-
-                let userApps = getUserApps(params.member);
-                let notPermitted = false;
-                for (var i = 0; i < props.apps.length; i++) {
-                    if (userApps.indexOf(props.apps[i]) === -1) {
-                        notPermitted = true;
+                if (props.report_type === "core") {
+                    if (!props.apps || !Array.isArray(props.apps) || props.apps.length === 0) {
+                        common.returnMessage(params, 400, 'Invalid or missing apps');
+                        return;
                     }
-                }
 
-                if (notPermitted && !params.member.global_admin) {
-                    return common.returnMessage(params, 401, 'User does not have right to access this information');
+                    let userApps = getUserApps(params.member);
+                    let notPermitted = false;
+                    for (var i = 0; i < props.apps.length; i++) {
+                        if (userApps.indexOf(props.apps[i]) === -1) {
+                            notPermitted = true;
+                        }
+                    }
+                    if (notPermitted && !params.member.global_admin) {
+                        return common.returnMessage(params, 401, 'User does not have right to access this information');
+                    }
                 }
 
                 common.db.collection('reports').insert(props, function(err0, result) {
@@ -304,18 +312,22 @@ const FEATURE_NAME = 'reports';
 
                 convertToTimezone(props);
 
-                // TODO: Handle report type check
-                const userApps = getUserApps(params.member);
-                let notPermitted = false;
-
-                for (var i = 0; i < props.apps.length; i++) {
-                    if (userApps.indexOf(props.apps[i]) === -1) {
-                        notPermitted = true;
+                if (props.report_type === "core") {
+                    if (!props.apps || !Array.isArray(props.apps) || props.apps.length === 0) {
+                        common.returnMessage(params, 400, 'Invalid or missing apps');
+                        return;
                     }
-                }
 
-                if (notPermitted && !params.member.global_admin) {
-                    return common.returnMessage(params, 401, 'User does not have right to access this information');
+                    let userApps = getUserApps(params.member);
+                    let notPermitted = false;
+                    for (var i = 0; i < props.apps.length; i++) {
+                        if (userApps.indexOf(props.apps[i]) === -1) {
+                            notPermitted = true;
+                        }
+                    }
+                    if (notPermitted && !params.member.global_admin) {
+                        return common.returnMessage(params, 401, 'User does not have right to access this information');
+                    }
                 }
                 common.db.collection('reports').findOne(recordUpdateOrDeleteQuery(params, id), function(err_update, report) {
                     if (err_update) {