Merge pull request #7489 from Countly/codex/merge-master-into-next-20260416

Codex/merge master into next 20260416

Author: ar2rsawseen

.github/workflows/deploy.yml

@@ -48,13 +48,13 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           push: true
           file: ./Dockerfile-core

.github/workflows/docker-image.yml

@@ -26,13 +26,13 @@ jobs:
           echo ${{ steps.vars.outputs.tag }}
       
       - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           context: .
           push: true
@@ -57,13 +57,13 @@ jobs:
           echo ${{ steps.vars.outputs.tag }}
       
       - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           push: true
           file: ./Dockerfile-api
@@ -88,13 +88,13 @@ jobs:
           echo ${{ steps.vars.outputs.tag }}
       
       - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           push: true
           file: ./Dockerfile-frontend
@@ -119,13 +119,13 @@ jobs:
           echo ${{ steps.vars.outputs.tag }}
       
       - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           push: true
           file: ./Dockerfile-core

CHANGELOG.md

@@ -1,7 +1,26 @@
 ## Version 25.03.X
+Enterprise Fixes:
+- [flow] Optimize timeline period query
+
+Dependencies:
+- Bump follow-redirects from 1.15.11 to 1.16.0 
+- Bump get-random-values from 4.1.1 to 4.1.2
+- Revert @vitejs/plugin-legacy from 8.0.1 to 7.2.1
+
+## Version 25.03.42
 Fixes:
+- [alerts] Fixed alert jobs using system's timezone instead of application's
 - [core] Fixed duplicate conditional in form field template
 
+Enterprise Fixes:
+- [data-manager] Fix notification message after editing user property
+- [white-labeling] Update newsletter setting description
+
+Dependencies:
+- Bump @vitejs/plugin-legacy from 7.2.1 to 8.0.1
+- Bump ejs from 5.0.1 to 5.0.2
+- Bump node-forge from 1.3.3 to 1.4.0 in /plugins/push
+
 ## Version 25.03.41
 Fixes:
 - [push] Fix: Cannot create a push notification when configuration _id is a string
@@ -10,6 +29,26 @@ Fixes:
 Enterprise Fixes:
 - [journeys] Fix: prevent users entered stat to minus value for race conditions
 - [surveys] Fixed widget asset path with subdirectory
+- [journey-engin] Added new image handling mechanism for modal and half-modal content blocks
+
+Dependencies:
+- Bump axios from 1.13.5 to 1.15.0
+- Bump basic-ftp from 5.2.0 to 5.2.1
+- Bump brace-expansion from 1.1.12 to 1.1.13
+- Bump brace-expansion from 2.0.2 to 2.0.3 in /plugins/hooks
+- Bump cypress from 15.13.0 to 15.13.1 in /ui-tests 
+- Bump docker/login-action from 4.0.0 to 4.1.0 in the actions group
+- Bump file-type and jimp
+- Bump lodash from 4.17.23 to 4.18.1
+- Bump nodemailer from 8.0.2 to 8.0.5
+- Bump path-to-regexp from 0.1.12 to 0.1.13
+- Bump pdfjs-dist from 5.5.207 to 5.6.205 in /ui-tests 
+- Bump picomatch from 4.0.3 to 4.0.4
+- Bump rate-limiter-flexible from 9.1.1 to 11.0.0
+- Bump sass from 1.98.0 to 1.99.0
+- Bump sass-embedded from 1.98.0 to 1.99.0
+- Bump swiper from 12.1.2 to 12.1.3
+- Bump vite from 7.3.1 to 7.3.2
 
 ## Version 25.03.40
 Fixes:

Dockerfile-core

@@ -25,7 +25,10 @@ USER root
 WORKDIR /opt/countly
 COPY . .
 
-RUN useradd -r -M -U -d /opt/countly -s /bin/false countly && \
+RUN sed -i 's|http://|https://|g' /etc/apt/sources.list && \
+    find /etc/apt/sources.list.d -name '*.list' -exec sed -i 's|http://|https://|g' {} + || true && \
+    echo 'Acquire::Retries "3";' > /etc/apt/apt.conf.d/80-retries && \
+    useradd -r -M -U -d /opt/countly -s /bin/false countly && \
     apt-get update && \
     apt-get install -y \
         # standard

api/parts/data/exports.js

@@ -208,6 +208,15 @@ exports.output = function(params, data, filename, type) {
 
     if (type === "xlsx" || type === "xls") { //we have stream
         params.res.writeHead(200, headers);
+        data.on("error", function(streamErr) {
+            common.log("exports").e(streamErr);
+            if (!params.res.headersSent) {
+                common.returnMessage(params, 500, "Export stream error");
+            }
+            else {
+                params.res.end();
+            }
+        });
         data.pipe(params.res);
         //common.returnRaw(params, 200, new Buffer(data, 'binary'), headers);
     }
@@ -403,6 +412,15 @@ exports.stream = function(params, stream, options) {
     else if (type === 'xlsx' || type === 'xls') {
         options.streamOptions.transform = transformFunction;
         var xc = new XLSXTransformStream();
+        xc.on("error", function(streamErr) {
+            common.log("exports").e(streamErr);
+            if (!params.res.headersSent) {
+                common.returnMessage(params, 500, "Export stream error");
+            }
+            else {
+                params.res.end();
+            }
+        });
         xc.pipe(params.res);
         if (listAtEnd === false) {
             xc.write(paramList);

api/utils/common.js

@@ -25,6 +25,7 @@ const mongodb = require('mongodb');
 const getRandomValues = require('get-random-values');
 const semver = require('semver');
 const _ = require('lodash');
+const path = require('path');
 
 var matchHtmlRegExp = /"|'|&(?!amp;|quot;|#39;|lt;|gt;|#46;|#36;)|<|>/;
 var matchLessHtmlRegExp = /[<>]/;
@@ -2345,9 +2346,9 @@ common.clearClashingQueryOperations = function(query) {
         }
     }
 
-    for (var path in map) {
-        if (map[path] > 1) {
-            badPaths.push(path);
+    for (var fieldPath in map) {
+        if (map[fieldPath] > 1) {
+            badPaths.push(fieldPath);
         }
     }
     if (badPaths.length > 0) {
@@ -2819,6 +2820,25 @@ common.sanitizeFilename = (filename, replacement = "") => {
         .replace(/^\.+/, replacement);
 };
 
+/**
+ * Resolve an input path under a base directory and reject path traversal.
+ * @param {string} basePath - base directory for allowed paths
+ * @param {string} inputPath - user-supplied path segment or relative path
+ * @returns {string|null} contained absolute path or null
+ */
+common.resolvePathInBase = (basePath, inputPath) => {
+    basePath = path.resolve(basePath + "");
+    inputPath = (inputPath + "").replace(/\\/g, "/");
+    while (inputPath.indexOf("/") === 0) {
+        inputPath = inputPath.substring(1);
+    }
+    let resolvedPath = path.resolve(basePath, inputPath);
+    if (resolvedPath === basePath || resolvedPath.indexOf(basePath + path.sep) === 0) {
+        return resolvedPath;
+    }
+    return null;
+};
+
 common.sanitizeHTML = (html, extendedWhitelist) => {
     const whiteList = {
         a: ["target", "title"],
@@ -3499,4 +3519,4 @@ common.trimWhitespaceStartEnd = function(value) {
 };
 
 /** @type {import('../../types/common').Common} */
-module.exports = common;
+module.exports = common;

api/utils/requestProcessor.js

@@ -1683,6 +1683,15 @@ const processRequest = (params) => {
                                                 common.returnMessage(params, 400, "Export doesn't exist");
                                             }
                                             else {
+                                                stream.on("error", function(streamErr) {
+                                                    log.e(streamErr);
+                                                    if (!params.res.headersSent) {
+                                                        common.returnMessage(params, 500, "Export stream error");
+                                                    }
+                                                    else {
+                                                        params.res.end();
+                                                    }
+                                                });
                                                 params.res.writeHead(200, {
                                                     'Content-Type': 'application/x-gzip',
                                                     'Content-Length': size,
@@ -2260,6 +2269,15 @@ const processRequest = (params) => {
                                                     common.returnMessage(params, 400, "Export stream does not exist");
                                                 }
                                                 else {
+                                                    stream.on("error", function(streamErr) {
+                                                        log.e(streamErr);
+                                                        if (!params.res.headersSent) {
+                                                            common.returnMessage(params, 500, "Export stream error");
+                                                        }
+                                                        else {
+                                                            params.res.end();
+                                                        }
+                                                    });
                                                     headers = {};
                                                     headers["Content-Type"] = countlyApi.data.exports.getType(type);
                                                     headers["Content-Disposition"] = "attachment;filename=" + encodeURIComponent(filename);

bin/countly.install_rhel.sh

@@ -53,7 +53,6 @@ if [[ "$CENTOS_MAJOR" = "9" ]]; then
 else
     curl -L -O -J "https://box.tools.count.ly/public.php/dav/files/Wj8opzNdyE5DyDX/?accept=zip"
     sudo yum install -y raven-release.el8.noarch.rpm
-    sudo yum install -y ipa-gothic-fonts
 fi
 
 #Install dependancies required by the puppeteer