@oneuptime/common 10.0.14 → 10.0.16

package/Models/DatabaseModels/User.ts

@@ -351,6 +351,33 @@ class User extends UserModel {
   })
   public resetPasswordExpires?: Date = undefined;
 
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({ type: TableColumnType.ShortText })
+  @Column({
+    type: ColumnType.ShortText,
+    length: ColumnLength.ShortText,
+    nullable: true,
+    unique: false,
+  })
+  public webauthnChallenge?: string = undefined;
+
+  @ColumnAccessControl({
+    create: [],
+    read: [],
+    update: [],
+  })
+  @TableColumn({ type: TableColumnType.Date })
+  @Column({
+    type: ColumnType.Date,
+    nullable: true,
+    unique: false,
+  })
+  public webauthnChallengeExpiresAt?: Date = undefined;
+
   @ColumnAccessControl({
     create: [],
     read: [Permission.CurrentUser],

package/Server/API/UserWebAuthnAPI.ts

@@ -54,12 +54,10 @@ export default class UserWebAuthnAPI extends BaseAPI<
           const databaseProps: DatabaseCommonInteractionProps =
             await CommonAPI.getDatabaseCommonInteractionProps(req);
 
-          const expectedChallenge: string = data["challenge"] as string;
           const credential: any = data["credential"];
           const name: string = data["name"] as string;
 
           await UserWebAuthnService.verifyRegistration({
-            challenge: expectedChallenge,
             credential: credential,
             name: name,
             props: databaseProps,

package/Server/Infrastructure/Postgres/SchemaMigrations/1772280000000-MigrationName.ts

@@ -0,0 +1,23 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class MigrationName1772280000000 implements MigrationInterface {
+  public name = "MigrationName1772280000000";
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "User" ADD "webauthnChallenge" character varying(100)`,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "User" ADD "webauthnChallengeExpiresAt" TIMESTAMP WITH TIME ZONE`,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "User" DROP COLUMN "webauthnChallengeExpiresAt"`,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "User" DROP COLUMN "webauthnChallenge"`,
+    );
+  }
+}

package/Server/Infrastructure/Postgres/SchemaMigrations/Index.ts

@@ -260,6 +260,7 @@ import { MigrationName1770833704656 } from "./1770833704656-MigrationName";
 import { MigrationName1770834237090 } from "./1770834237090-MigrationName";
 import { MigrationName1770834237091 } from "./1770834237091-MigrationName";
 import { MigrationName1772111896988 } from "./1772111896988-MigrationName";
+import { MigrationName1772280000000 } from "./1772280000000-MigrationName";
 
 export default [
   InitialMigration,
@@ -524,4 +525,5 @@ export default [
   MigrationName1770834237090,
   MigrationName1770834237091,
   MigrationName1772111896988,
+  MigrationName1772280000000,
 ];

package/Server/Services/MonitorTestService.ts

@@ -1,11 +1,112 @@
-import DatabaseService from "./DatabaseService";
+import DatabaseService, { EntityManager } from "./DatabaseService";
 import MonitorTest from "../../Models/DatabaseModels/MonitorTest";
+import ObjectID from "../../Types/ObjectID";
+import OneUptimeDate from "../../Types/Date";
+import { MonitorStepProbeResponse } from "../../Models/DatabaseModels/MonitorProbe";
 
 export class Service extends DatabaseService<MonitorTest> {
+  private static readonly STALE_TEST_CLAIM_TIMEOUT_IN_MINUTES: number = 10;
+
   public constructor() {
     super(MonitorTest);
     this.hardDeleteItemsOlderThanInDays("createdAt", 2); // this is temporary data. Clear it after 2 days.
   }
+
+  /**
+   * Atomically claims monitor tests for a specific probe instance using
+   * FOR UPDATE SKIP LOCKED so concurrent probe replicas do not execute the
+   * same monitor test.
+   */
+  public async claimMonitorTestsForProbing(data: {
+    probeId: ObjectID;
+    limit: number;
+  }): Promise<Array<ObjectID>> {
+    const staleClaimThreshold: Date = OneUptimeDate.addRemoveMinutes(
+      OneUptimeDate.getCurrentDate(),
+      -Service.STALE_TEST_CLAIM_TIMEOUT_IN_MINUTES,
+    );
+
+    return await this.executeTransaction(
+      async (transactionalEntityManager: EntityManager) => {
+        const selectQuery: string = `
+          SELECT mt."_id"
+          FROM "MonitorTest" mt
+          WHERE mt."probeId" = $1
+            AND (
+              mt."isInQueue" = true
+              OR (
+                mt."isInQueue" = false
+                AND mt."updatedAt" <= $3
+              )
+            )
+            AND mt."monitorStepProbeResponse" IS NULL
+            AND mt."deletedAt" IS NULL
+          ORDER BY mt."createdAt" ASC
+          LIMIT $2
+          FOR UPDATE OF mt SKIP LOCKED
+        `;
+
+        const selectedRows: Array<{ _id: string }> =
+          await transactionalEntityManager.query(selectQuery, [
+            data.probeId.toString(),
+            data.limit,
+            staleClaimThreshold,
+          ]);
+
+        if (selectedRows.length === 0) {
+          return [];
+        }
+
+        const ids: Array<string> = selectedRows.map((row: { _id: string }) => {
+          return row._id;
+        });
+
+        const updateQuery: string = `
+          UPDATE "MonitorTest"
+          SET "isInQueue" = false,
+              "updatedAt" = now()
+          WHERE "_id" = ANY($1::uuid[])
+        `;
+
+        await transactionalEntityManager.query(updateQuery, [ids]);
+
+        return ids.map((id: string) => {
+          return new ObjectID(id);
+        });
+      },
+    );
+  }
+
+  /**
+   * Merge a single step response into monitorStepProbeResponse atomically.
+   * This avoids step-response overwrite races when multiple step jobs are
+   * processed concurrently.
+   */
+  public async mergeStepProbeResponse(data: {
+    testId: ObjectID;
+    monitorStepProbeResponse: MonitorStepProbeResponse;
+  }): Promise<void> {
+    const testedAt: Date = OneUptimeDate.getCurrentDate();
+
+    await this.executeTransaction(
+      async (transactionalEntityManager: EntityManager) => {
+        const updateQuery: string = `
+          UPDATE "MonitorTest"
+          SET "monitorStepProbeResponse" = COALESCE("monitorStepProbeResponse", '{}'::jsonb) || $2::jsonb,
+              "testedAt" = $3,
+              "updatedAt" = now()
+          WHERE "_id" = $1
+            AND "deletedAt" IS NULL
+        `;
+
+        await transactionalEntityManager.query(updateQuery, [
+          data.testId.toString(),
+          JSON.stringify(data.monitorStepProbeResponse),
+          testedAt,
+        ]);
+      },
+    );
+  }
 }
 
 export default new Service();

package/Server/Services/UserWebAuthnService.ts

@@ -19,6 +19,9 @@ import ObjectID from "../../Types/ObjectID";
 import DatabaseCommonInteractionProps from "../../Types/BaseDatabase/DatabaseCommonInteractionProps";
 import UserTotpAuth from "../../Models/DatabaseModels/UserTotpAuth";
 import UserTotpAuthService from "./UserTotpAuthService";
+import OneUptimeDate from "../../Types/Date";
+
+const WEBAUTHN_CHALLENGE_TTL_MINUTES: number = 5;
 
 export class Service extends DatabaseService<Model> {
   public constructor() {
@@ -102,6 +105,21 @@ export class Service extends DatabaseService<Model> {
       );
     }
 
+    // Store the challenge server-side so verification uses a trusted value
+    await UserService.updateOneById({
+      id: data.userId,
+      data: {
+        webauthnChallenge: options.challenge,
+        webauthnChallengeExpiresAt: OneUptimeDate.addRemoveMinutes(
+          OneUptimeDate.getCurrentDate(),
+          WEBAUTHN_CHALLENGE_TTL_MINUTES,
+        ),
+      },
+      props: {
+        isRoot: true,
+      },
+    });
+
     return {
       options: options as any,
       challenge: options.challenge,
@@ -110,16 +128,24 @@ export class Service extends DatabaseService<Model> {
 
   @CaptureSpan()
   public async verifyRegistration(data: {
-    challenge: string;
     credential: any;
     name: string;
     props: DatabaseCommonInteractionProps;
   }): Promise<void> {
+    if (!data.props.userId) {
+      throw new BadDataException("User ID not found in request");
+    }
+
+    // Retrieve the challenge from the server-side store
+    const storedChallenge: string = await this.getAndClearStoredChallenge(
+      data.props.userId,
+    );
+
     const expectedOrigin: string = `${HttpProtocol}${Host.toString()}`;
 
     const verification: any = await verifyRegistrationResponse({
       response: data.credential,
-      expectedChallenge: data.challenge,
+      expectedChallenge: storedChallenge,
       expectedOrigin: expectedOrigin,
       expectedRPID: Host.toString(),
     });
@@ -134,10 +160,6 @@ export class Service extends DatabaseService<Model> {
       throw new BadDataException("Registration info not found");
     }
 
-    if (!data.props.userId) {
-      throw new BadDataException("User ID not found in request");
-    }
-
     // Save the credential
     const userWebAuthn: Model = Model.fromJSON(
       {
@@ -213,6 +235,21 @@ export class Service extends DatabaseService<Model> {
     options.challenge = Buffer.from(options.challenge).toString("base64url");
     // allowCredentials id is already base64url string
 
+    // Store the challenge server-side so verification uses a trusted value
+    await UserService.updateOneById({
+      id: user.id!,
+      data: {
+        webauthnChallenge: options.challenge,
+        webauthnChallengeExpiresAt: OneUptimeDate.addRemoveMinutes(
+          OneUptimeDate.getCurrentDate(),
+          WEBAUTHN_CHALLENGE_TTL_MINUTES,
+        ),
+      },
+      props: {
+        isRoot: true,
+      },
+    });
+
     return {
       options: options as any,
       challenge: options.challenge,
@@ -223,9 +260,13 @@ export class Service extends DatabaseService<Model> {
   @CaptureSpan()
   public async verifyAuthentication(data: {
     userId: string;
-    challenge: string;
     credential: any;
   }): Promise<User> {
+    // Retrieve the challenge from the server-side store
+    const storedChallenge: string = await this.getAndClearStoredChallenge(
+      new ObjectID(data.userId),
+    );
+
     const user: User | null = await UserService.findOneById({
       id: new ObjectID(data.userId),
       select: {
@@ -267,7 +308,7 @@ export class Service extends DatabaseService<Model> {
 
     const verification: any = await verifyAuthenticationResponse({
       response: data.credential,
-      expectedChallenge: data.challenge,
+      expectedChallenge: storedChallenge,
       expectedOrigin: expectedOrigin,
       expectedRPID: Host.toString(),
       credential: {
@@ -295,6 +336,73 @@ export class Service extends DatabaseService<Model> {
     return user;
   }
 
+  /**
+   * Retrieves the stored WebAuthn challenge for the given user,
+   * validates it has not expired, and clears it so it cannot be reused.
+   */
+  private async getAndClearStoredChallenge(userId: ObjectID): Promise<string> {
+    const user: User | null = await UserService.findOneById({
+      id: userId,
+      select: {
+        webauthnChallenge: true,
+        webauthnChallengeExpiresAt: true,
+      },
+      props: {
+        isRoot: true,
+      },
+    });
+
+    if (!user) {
+      throw new BadDataException("User not found");
+    }
+
+    if (!user.webauthnChallenge || !user.webauthnChallengeExpiresAt) {
+      throw new BadDataException(
+        "No pending WebAuthn challenge found. Please initiate the WebAuthn flow again.",
+      );
+    }
+
+    // Check expiry
+    if (
+      OneUptimeDate.isBefore(
+        user.webauthnChallengeExpiresAt,
+        OneUptimeDate.getCurrentDate(),
+      )
+    ) {
+      // Clear the expired challenge
+      await UserService.updateOneById({
+        id: userId,
+        data: {
+          webauthnChallenge: null as any,
+          webauthnChallengeExpiresAt: null as any,
+        },
+        props: {
+          isRoot: true,
+        },
+      });
+
+      throw new BadDataException(
+        "WebAuthn challenge has expired. Please initiate the WebAuthn flow again.",
+      );
+    }
+
+    const challenge: string = user.webauthnChallenge;
+
+    // Clear the challenge immediately so it cannot be reused (one-time use)
+    await UserService.updateOneById({
+      id: userId,
+      data: {
+        webauthnChallenge: null as any,
+        webauthnChallengeExpiresAt: null as any,
+      },
+      props: {
+        isRoot: true,
+      },
+    });
+
+    return challenge;
+  }
+
   @CaptureSpan()
   protected override async onBeforeCreate(
     createBy: CreateBy<Model>,

package/Server/Utils/Browser.ts

@@ -27,7 +27,6 @@ export default class BrowserUtil {
     "--disable-features=dbus", // additional D-Bus feature gate
     "--no-zygote", // skip zygote process that fails OOM score adjustments in containers
     // Memory optimization flags
-    "--single-process", // run browser in single process to reduce memory overhead
     "--disable-extensions", // no extensions needed for monitoring
     "--disable-background-networking", // disable background network requests
     "--disable-default-apps", // don't load default apps

package/Server/Utils/Memory.ts

@@ -0,0 +1,81 @@
+import fs from "fs";
+import os from "os";
+
+const UNLIMITED_CGROUP_THRESHOLD_BYTES: number = 1 << 60; // treat absurdly large cgroup limit as "unlimited"
+
+export default class MemoryUtil {
+  public static getHostFreeMemoryInBytes(): number {
+    return os.freemem();
+  }
+
+  public static getContainerAwareAvailableMemoryInBytes(): number {
+    const hostFreeMemory: number = this.getHostFreeMemoryInBytes();
+    const cgroupAvailableMemory: number | null =
+      this.getCgroupAvailableMemoryInBytes();
+
+    if (cgroupAvailableMemory === null) {
+      return hostFreeMemory;
+    }
+
+    // Be conservative: never exceed container-available memory.
+    return Math.min(hostFreeMemory, cgroupAvailableMemory);
+  }
+
+  public static getCgroupAvailableMemoryInBytes(): number | null {
+    // cgroup v2
+    const v2Limit: number | null = this.readNumericFile(
+      "/sys/fs/cgroup/memory.max",
+    );
+    const v2Usage: number | null = this.readNumericFile(
+      "/sys/fs/cgroup/memory.current",
+    );
+
+    if (
+      v2Limit &&
+      v2Usage !== null &&
+      v2Limit > 0 &&
+      v2Limit < UNLIMITED_CGROUP_THRESHOLD_BYTES
+    ) {
+      return Math.max(v2Limit - v2Usage, 0);
+    }
+
+    // cgroup v1
+    const v1Limit: number | null = this.readNumericFile(
+      "/sys/fs/cgroup/memory/memory.limit_in_bytes",
+    );
+    const v1Usage: number | null = this.readNumericFile(
+      "/sys/fs/cgroup/memory/memory.usage_in_bytes",
+    );
+
+    if (
+      v1Limit &&
+      v1Usage !== null &&
+      v1Limit > 0 &&
+      v1Limit < UNLIMITED_CGROUP_THRESHOLD_BYTES
+    ) {
+      return Math.max(v1Limit - v1Usage, 0);
+    }
+
+    return null;
+  }
+
+  private static readNumericFile(path: string): number | null {
+    try {
+      const rawValue: string = fs.readFileSync(path, "utf8").trim();
+
+      if (!rawValue || rawValue === "max") {
+        return null;
+      }
+
+      const value: number = Number(rawValue);
+
+      if (!Number.isFinite(value) || value <= 0) {
+        return null;
+      }
+
+      return value;
+    } catch {
+      return null;
+    }
+  }
+}

package/Server/Utils/Monitor/Criteria/CompareCriteria.ts

@@ -235,7 +235,10 @@ export default class CompareCriteria {
 
     if (data.criteriaFilter.filterType === FilterType.IsNotEmpty) {
       if (data.value !== null && data.value !== undefined) {
-        return `${data.criteriaFilter.checkOn} is not empty.`;
+        const valueStr: string = String(data.value);
+        const truncatedValue: string =
+          valueStr.length > 500 ? valueStr.substring(0, 500) + "..." : valueStr;
+        return `${data.criteriaFilter.checkOn} is not empty. Value: ${truncatedValue}`;
       }
 
       return null;

package/Server/Utils/Monitor/Criteria/IncomingEmailCriteria.ts

@@ -238,7 +238,11 @@ export default class IncomingEmailCriteria {
 
     if (criteriaFilter.filterType === FilterType.IsNotEmpty) {
       if (fieldValue && fieldValue.trim() !== "") {
-        return `${fieldName} is not empty.`;
+        const truncatedValue: string =
+          fieldValue.length > 500
+            ? fieldValue.substring(0, 500) + "..."
+            : fieldValue;
+        return `${fieldName} is not empty. Value: ${truncatedValue}`;
       }
       return null;
     }

package/Server/Utils/VM/VMRunner.ts

@@ -1,13 +1,159 @@
 import ReturnResult from "../../../Types/IsolatedVM/ReturnResult";
-import { JSONObject } from "../../../Types/JSON";
+import { JSONObject, JSONValue } from "../../../Types/JSON";
 import axios, { AxiosResponse } from "axios";
 import crypto from "crypto";
 import http from "http";
 import https from "https";
 import ivm from "isolated-vm";
 import CaptureSpan from "../Telemetry/CaptureSpan";
+import Dictionary from "../../../Types/Dictionary";
+import GenericObject from "../../../Types/GenericObject";
+import vm, { Context } from "vm";
 
 export default class VMRunner {
+  @CaptureSpan()
+  public static async runCodeInNodeVM(data: {
+    code: string;
+    options: {
+      timeout?: number;
+      args?: JSONObject | undefined;
+      context?: Dictionary<GenericObject | string> | undefined;
+    };
+  }): Promise<ReturnResult> {
+    const { code, options } = data;
+    const timeout: number = options.timeout || 5000;
+
+    const logMessages: string[] = [];
+    const MAX_LOG_BYTES: number = 1_000_000; // 1MB cap
+    let totalLogBytes: number = 0;
+
+    // Track timer handles so we can clean them up after execution
+    type TimerHandle = ReturnType<typeof setTimeout>;
+    const pendingTimeouts: TimerHandle[] = [];
+    const pendingIntervals: TimerHandle[] = [];
+
+    const wrappedSetTimeout: (
+      fn: (...args: unknown[]) => void,
+      ms?: number,
+      ...rest: unknown[]
+    ) => TimerHandle = (
+      fn: (...args: unknown[]) => void,
+      ms?: number,
+      ...rest: unknown[]
+    ): TimerHandle => {
+      const handle: TimerHandle = setTimeout(fn, ms, ...rest);
+      pendingTimeouts.push(handle);
+      return handle;
+    };
+
+    const wrappedClearTimeout: (handle: TimerHandle) => void = (
+      handle: TimerHandle,
+    ): void => {
+      clearTimeout(handle);
+      const idx: number = pendingTimeouts.indexOf(handle);
+      if (idx !== -1) {
+        pendingTimeouts.splice(idx, 1);
+      }
+    };
+
+    const wrappedSetInterval: (
+      fn: (...args: unknown[]) => void,
+      ms?: number,
+      ...rest: unknown[]
+    ) => TimerHandle = (
+      fn: (...args: unknown[]) => void,
+      ms?: number,
+      ...rest: unknown[]
+    ): TimerHandle => {
+      const handle: TimerHandle = setInterval(fn, ms, ...rest);
+      pendingIntervals.push(handle);
+      return handle;
+    };
+
+    const wrappedClearInterval: (handle: TimerHandle) => void = (
+      handle: TimerHandle,
+    ): void => {
+      clearInterval(handle);
+      const idx: number = pendingIntervals.indexOf(handle);
+      if (idx !== -1) {
+        pendingIntervals.splice(idx, 1);
+      }
+    };
+
+    let sandbox: Context = {
+      process: Object.freeze(Object.create(null)),
+      console: {
+        log: (...args: JSONValue[]) => {
+          const msg: string = args.join(" ");
+          totalLogBytes += msg.length;
+          if (totalLogBytes <= MAX_LOG_BYTES) {
+            logMessages.push(msg);
+          }
+        },
+      },
+      http: http,
+      https: https,
+      axios: axios,
+      crypto: crypto,
+      setTimeout: wrappedSetTimeout,
+      clearTimeout: wrappedClearTimeout,
+      setInterval: wrappedSetInterval,
+      clearInterval: wrappedClearInterval,
+      ...options.context,
+    };
+
+    if (options.args) {
+      sandbox = {
+        ...sandbox,
+        args: options.args,
+      };
+    }
+
+    vm.createContext(sandbox);
+
+    const script: string = `(async()=>{
+        ${code}
+      })()`;
+
+    try {
+      /*
+       * vm timeout only covers synchronous CPU time, so wrap with
+       * Promise.race to also cover async operations (network, timers, etc.)
+       */
+      const vmPromise: Promise<unknown> = vm.runInContext(script, sandbox, {
+        timeout: timeout,
+      });
+
+      const overallTimeout: Promise<never> = new Promise(
+        (_resolve: (value: never) => void, reject: (reason: Error) => void) => {
+          const handle: NodeJS.Timeout = global.setTimeout(() => {
+            reject(new Error("Script execution timed out"));
+          }, timeout + 5000);
+          // Don't let this timer keep the process alive
+          handle.unref();
+        },
+      );
+
+      const returnVal: unknown = await Promise.race([
+        vmPromise,
+        overallTimeout,
+      ]);
+
+      return {
+        returnValue: returnVal,
+        logMessages,
+      };
+    } finally {
+      // Clean up any lingering timers to prevent resource leaks
+      for (const handle of pendingTimeouts) {
+        clearTimeout(handle);
+      }
+      for (const handle of pendingIntervals) {
+        clearInterval(handle);
+      }
+    }
+  }
+
   @CaptureSpan()
   public static async runCodeInSandbox(data: {
     code: string;

package/Tests/Server/Utils/VM/VMAPI.test.ts

@@ -7,6 +7,7 @@ jest.mock("../../../../Server/EnvironmentConfig", () => {
 
 jest.mock("../../../../Server/Middleware/ClusterKeyAuthorization", () => {
   return {
+    __esModule: true,
     default: {
       getClusterKeyHeaders: () => {
         return {};
@@ -17,12 +18,14 @@ jest.mock("../../../../Server/Middleware/ClusterKeyAuthorization", () => {
 
 jest.mock("../../../../Utils/API", () => {
   return {
+    __esModule: true,
     default: { post: jest.fn() },
   };
 });
 
 jest.mock("../../../../Server/Utils/Logger", () => {
   return {
+    __esModule: true,
     default: {
       error: jest.fn(),
       debug: jest.fn(),
@@ -34,6 +37,7 @@ jest.mock("../../../../Server/Utils/Logger", () => {
 
 jest.mock("../../../../Server/Utils/Telemetry/CaptureSpan", () => {
   return {
+    __esModule: true,
     default: () => {
       return (
         _target: any,