@oneuptime/common 10.0.6 → 10.0.8

package/Server/Utils/VM/VMRunner.ts

@@ -77,22 +77,46 @@ export default class VMRunner {
         };
       `);
 
-      // axios (get, post, put, delete) - bridged via applySyncPromise
+      /*
+       * axios (get, head, options, post, put, patch, delete, request)
+       * bridged via applySyncPromise.
+       *
+       * For GET/HEAD/OPTIONS/DELETE: args = [method, url, configJson?]
+       * For POST/PUT/PATCH:         args = [method, url, bodyJson?, configJson?]
+       * For REQUEST:                args = ['request', '', configJson]
+       */
       const axiosRef: ivm.Reference<
-        (method: string, url: string, dataOrConfig?: string) => Promise<string>
+        (
+          method: string,
+          url: string,
+          arg1?: string,
+          arg2?: string,
+        ) => Promise<string>
       > = new ivm.Reference(
         async (
           method: string,
           url: string,
-          dataOrConfig?: string,
+          arg1?: string,
+          arg2?: string,
         ): Promise<string> => {
-          const parsed: JSONObject | undefined = dataOrConfig
-            ? (JSON.parse(dataOrConfig) as JSONObject)
+          const methodsWithBody: string[] = ["post", "put", "patch"];
+          const hasBody: boolean = methodsWithBody.includes(method);
+
+          /*
+           * For POST/PUT/PATCH: arg1=body, arg2=config
+           * For GET/HEAD/OPTIONS/DELETE/REQUEST: arg1=config
+           */
+          const body: JSONObject | undefined =
+            hasBody && arg1 ? (JSON.parse(arg1) as JSONObject) : undefined;
+
+          const configStr: string | undefined = hasBody ? arg2 : arg1;
+          const config: JSONObject | undefined = configStr
+            ? (JSON.parse(configStr) as JSONObject)
             : undefined;
 
           // Reconstruct real http/https Agents from serialized markers
-          if (parsed) {
-            const httpsAgentConfig: JSONObject | undefined = parsed[
+          if (config) {
+            const httpsAgentConfig: JSONObject | undefined = config[
               "httpsAgent"
             ] as JSONObject | undefined;
 
@@ -100,12 +124,12 @@ export default class VMRunner {
               httpsAgentConfig &&
               httpsAgentConfig["__agentType"] === "__https_agent__"
             ) {
-              parsed["httpsAgent"] = new https.Agent(
+              config["httpsAgent"] = new https.Agent(
                 httpsAgentConfig["options"] as https.AgentOptions,
               ) as unknown as JSONObject;
             }
 
-            const httpAgentConfig: JSONObject | undefined = parsed[
+            const httpAgentConfig: JSONObject | undefined = config[
               "httpAgent"
             ] as JSONObject | undefined;
 
@@ -113,63 +137,246 @@ export default class VMRunner {
               httpAgentConfig &&
               httpAgentConfig["__agentType"] === "__http_agent__"
             ) {
-              parsed["httpAgent"] = new http.Agent(
+              config["httpAgent"] = new http.Agent(
                 httpAgentConfig["options"] as http.AgentOptions,
               ) as unknown as JSONObject;
             }
           }
 
-          let response: AxiosResponse;
-
-          switch (method) {
-            case "get":
-              response = await axios.get(url, parsed);
-              break;
-            case "post":
-              response = await axios.post(url, parsed);
-              break;
-            case "put":
-              response = await axios.put(url, parsed);
-              break;
-            case "delete":
-              response = await axios.delete(url, parsed);
-              break;
-            default:
-              throw new Error(`Unsupported HTTP method: ${method}`);
-          }
+          /**
+           * Helper: convert AxiosHeaders (or any header-like object) to a
+           * plain record so it can be safely JSON-serialised.
+           */
+          const toPlainHeaders: (
+            headers: unknown,
+          ) => Record<string, unknown> = (
+            headers: unknown,
+          ): Record<string, unknown> => {
+            const plain: Record<string, unknown> = {};
+            if (headers) {
+              for (const hKey of Object.keys(
+                headers as Record<string, unknown>,
+              )) {
+                plain[hKey] = (headers as Record<string, unknown>)[hKey];
+              }
+            }
+            return plain;
+          };
+
+          try {
+            let response: AxiosResponse;
+
+            switch (method) {
+              case "get":
+                response = await axios.get(url, config);
+                break;
+              case "head":
+                response = await axios.head(url, config);
+                break;
+              case "options":
+                response = await axios.options(url, config);
+                break;
+              case "post":
+                response = await axios.post(url, body, config);
+                break;
+              case "put":
+                response = await axios.put(url, body, config);
+                break;
+              case "patch":
+                response = await axios.patch(url, body, config);
+                break;
+              case "delete":
+                response = await axios.delete(url, config);
+                break;
+              case "request":
+                response = await axios.request(
+                  config as Parameters<typeof axios.request>[0],
+                );
+                break;
+              default:
+                throw new Error(`Unsupported HTTP method: ${method}`);
+            }
 
-          return JSON.stringify({
-            status: response.status,
-            headers: response.headers,
-            data: response.data,
-          });
+            /*
+             * Convert AxiosHeaders to a plain object before serializing.
+             * JSON.stringify calls AxiosHeaders.toJSON(key) with a truthy key,
+             * which makes it join array headers (like set-cookie) with commas.
+             * This produces invalid Cookie headers when user code forwards them.
+             */
+            return JSON.stringify({
+              status: response.status,
+              headers: toPlainHeaders(response.headers),
+              data: response.data,
+            });
+          } catch (err: unknown) {
+            /*
+             * If this is an axios error with a response (4xx, 5xx, etc.),
+             * return the error details as JSON so the sandbox-side axios
+             * wrapper can reconstruct error.response for user code.
+             */
+            const axiosErr: {
+              isAxiosError?: boolean;
+              response?: AxiosResponse<any, any, Record<string, unknown>>;
+              message?: string;
+            } = err as {
+              isAxiosError?: boolean;
+              response?: AxiosResponse;
+              message?: string;
+            };
+
+            if (axiosErr.isAxiosError && axiosErr.response) {
+              return JSON.stringify({
+                __isAxiosError: true,
+                message: axiosErr.message || "Request failed",
+                status: axiosErr.response.status,
+                statusText: axiosErr.response.statusText,
+                headers: toPlainHeaders(axiosErr.response.headers),
+                data: axiosErr.response.data,
+              });
+            }
+
+            throw err;
+          }
         },
       );
 
       await jail.set("_axiosRef", axiosRef);
 
       await context.eval(`
-        const axios = {
-          get: async (url, config) => {
-            const r = await _axiosRef.applySyncPromise(undefined, ['get', url, config ? JSON.stringify(config) : undefined]);
-            return JSON.parse(r);
-          },
-          post: async (url, data) => {
-            const r = await _axiosRef.applySyncPromise(undefined, ['post', url, data ? JSON.stringify(data) : undefined]);
-            return JSON.parse(r);
-          },
-          put: async (url, data) => {
-            const r = await _axiosRef.applySyncPromise(undefined, ['put', url, data ? JSON.stringify(data) : undefined]);
-            return JSON.parse(r);
-          },
-          delete: async (url, config) => {
-            const r = await _axiosRef.applySyncPromise(undefined, ['delete', url, config ? JSON.stringify(config) : undefined]);
-            return JSON.parse(r);
-          },
-        };
+        function _assertNoFunctions(obj, path) {
+          if (!obj || typeof obj !== 'object') return;
+          if (Array.isArray(obj)) {
+            for (let i = 0; i < obj.length; i++) {
+              const fullPath = path + '[' + i + ']';
+              if (typeof obj[i] === 'function') {
+                throw new Error(
+                  'Functions are not supported in axios config because of security. ' +
+                  'Found a function at "' + fullPath + '". Please remove it or replace it with a plain value.'
+                );
+              }
+              if (obj[i] && typeof obj[i] === 'object') {
+                _assertNoFunctions(obj[i], fullPath);
+              }
+            }
+            return;
+          }
+          for (const key of Object.keys(obj)) {
+            const fullPath = path ? path + '.' + key : key;
+            if (typeof obj[key] === 'function') {
+              throw new Error(
+                'Functions are not supported in axios config because of security. ' +
+                'Found a function at "' + fullPath + '". Please remove it or replace it with a plain value.'
+              );
+            }
+            if (obj[key] && typeof obj[key] === 'object') {
+              _assertNoFunctions(obj[key], fullPath);
+            }
+          }
+        }
+
+        function _parseAxiosResult(r) {
+          const parsed = JSON.parse(r);
+          if (parsed && parsed.__isAxiosError) {
+            const err = new Error(parsed.message);
+            err.response = {
+              status: parsed.status,
+              statusText: parsed.statusText,
+              headers: parsed.headers,
+              data: parsed.data,
+            };
+            err.isAxiosError = true;
+            err.status = parsed.status;
+            throw err;
+          }
+          return parsed;
+        }
+
+        function _makeAxiosInstance(defaults) {
+          function mergeConfig(overrides) {
+            if (!defaults && !overrides) return undefined;
+            if (!defaults) return overrides;
+            if (!overrides) return Object.assign({}, defaults);
+            const merged = Object.assign({}, defaults, overrides);
+            if (defaults.headers && overrides.headers) {
+              merged.headers = Object.assign({}, defaults.headers, overrides.headers);
+            }
+            return merged;
+          }
+
+          async function _request(config) {
+            const merged = mergeConfig(config);
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['request', '', merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          }
+
+          // Make instance callable: axios(config) or axios(url, config)
+          const instance = async function(urlOrConfig, config) {
+            if (typeof urlOrConfig === 'object') {
+              return _request(urlOrConfig);
+            }
+            return _request(Object.assign({}, config || {}, { url: urlOrConfig }));
+          };
+
+          instance.request = _request;
+          instance.get = async (url, config) => {
+            const merged = mergeConfig(config);
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['get', url, merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          };
+          instance.head = async (url, config) => {
+            const merged = mergeConfig(config);
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['head', url, merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          };
+          instance.options = async (url, config) => {
+            const merged = mergeConfig(config);
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['options', url, merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          };
+          instance.post = async (url, data, config) => {
+            const merged = mergeConfig(config);
+            if (data) _assertNoFunctions(data, 'data');
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['post', url, data ? JSON.stringify(data) : undefined, merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          };
+          instance.put = async (url, data, config) => {
+            const merged = mergeConfig(config);
+            if (data) _assertNoFunctions(data, 'data');
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['put', url, data ? JSON.stringify(data) : undefined, merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          };
+          instance.patch = async (url, data, config) => {
+            const merged = mergeConfig(config);
+            if (data) _assertNoFunctions(data, 'data');
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['patch', url, data ? JSON.stringify(data) : undefined, merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          };
+          instance.delete = async (url, config) => {
+            const merged = mergeConfig(config);
+            if (merged) _assertNoFunctions(merged, 'config');
+            const r = await _axiosRef.applySyncPromise(undefined, ['delete', url, merged ? JSON.stringify(merged) : undefined]);
+            return _parseAxiosResult(r);
+          };
+          instance.create = (instanceDefaults) => {
+            if (instanceDefaults) _assertNoFunctions(instanceDefaults, 'defaults');
+            const combinedDefaults = mergeConfig(instanceDefaults);
+            return _makeAxiosInstance(combinedDefaults);
+          };
+
+          return instance;
+        }
+
+        const axios = _makeAxiosInstance(null);
       `);
 
-      // crypto (createHash, createHmac, randomBytes) - bridged via applySync
+      // crypto (createHash, createHmac, randomBytes, randomUUID, randomInt) - bridged via applySync
       const cryptoRef: ivm.Reference<
         (op: string, ...args: string[]) => string
       > = new ivm.Reference((op: string, ...args: string[]): string => {
@@ -192,6 +399,13 @@ export default class VMRunner {
             const [size] = args;
             return crypto.randomBytes(parseInt(size!)).toString("hex");
           }
+          case "randomUUID": {
+            return crypto.randomUUID();
+          }
+          case "randomInt": {
+            const [min, max] = args;
+            return String(crypto.randomInt(parseInt(min!), parseInt(max!)));
+          }
           default:
             throw new Error(`Unsupported crypto operation: ${op}`);
         }
@@ -214,6 +428,13 @@ export default class VMRunner {
           randomBytes: (size) => ({
             toString(enc) { return _cryptoRef.applySync(undefined, ['randomBytes', String(size)]); }
           }),
+          randomUUID: () => {
+            return _cryptoRef.applySync(undefined, ['randomUUID']);
+          },
+          randomInt: (minOrMax, max) => {
+            if (max === undefined) { max = minOrMax; minOrMax = 0; }
+            return Number(_cryptoRef.applySync(undefined, ['randomInt', String(minOrMax), String(max)]));
+          },
         };
       `);
 

package/Server/Views/Partials/Head.ejs

@@ -1,10 +1,11 @@
 <link rel="preconnect" href="https://fonts.googleapis.com">
 <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link rel="preload" href="https://fonts.googleapis.com/css2?family=Inter:wght@100;200;300;400;500;600;700;800;900&display=swap" as="style">
 <link href="https://fonts.googleapis.com/css2?family=Inter:wght@100;200;300;400;500;600;700;800;900&display=swap"
     rel="stylesheet">
 <style>
     * {
-        font-family: Inter;
+        font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
     }
 
 
@@ -34,6 +35,7 @@
         width: auto;
     }
 </style>
+<link rel="preload" href="https://cdn.tailwindcss.com" as="script">
 <script src="https://cdn.tailwindcss.com"></script>
 
 <!-- Google Tag Manager -->

package/Tests/Server/Middleware/UserAuthorization.test.ts

@@ -93,6 +93,7 @@ describe("UserMiddleware", () => {
 
     const req: Partial<ExpressRequest> = {
       cookies: { "sso-token": mockedAccessToken },
+      headers: {},
     };
 
     test("should return an empty object when ssoToken is not passed", () => {

package/Types/Monitor/CriteriaFilter.ts

@@ -74,6 +74,13 @@ export enum CheckOn {
   DomainNameServer = "Domain Name Server",
   DomainStatusCode = "Domain Status Code",
   DomainIsExpired = "Domain Is Expired",
+
+  // External Status Page monitors.
+  ExternalStatusPageIsOnline = "External Status Page Is Online",
+  ExternalStatusPageOverallStatus = "External Status Page Overall Status",
+  ExternalStatusPageComponentStatus = "External Status Page Component Status",
+  ExternalStatusPageActiveIncidents = "External Status Page Active Incidents",
+  ExternalStatusPageResponseTime = "External Status Page Response Time (in ms)",
 }
 
 export interface ServerMonitorOptions {
@@ -159,7 +166,8 @@ export class CriteriaFilterUtil {
       checkOn === CheckOn.IsOnline ||
       checkOn === CheckOn.SnmpIsOnline ||
       checkOn === CheckOn.DnsIsOnline ||
-      checkOn === CheckOn.DomainIsExpired
+      checkOn === CheckOn.DomainIsExpired ||
+      checkOn === CheckOn.ExternalStatusPageIsOnline
     ) {
       return false;
     }
@@ -229,7 +237,9 @@ export class CriteriaFilterUtil {
       checkOn === CheckOn.SnmpResponseTime ||
       checkOn === CheckOn.SnmpIsOnline ||
       checkOn === CheckOn.DnsResponseTime ||
-      checkOn === CheckOn.DnsIsOnline
+      checkOn === CheckOn.DnsIsOnline ||
+      checkOn === CheckOn.ExternalStatusPageResponseTime ||
+      checkOn === CheckOn.ExternalStatusPageIsOnline
     );
   }
 }

package/Types/Monitor/ExternalStatusPageMonitor/ExternalStatusPageMonitorResponse.ts

@@ -0,0 +1,16 @@
+export interface ExternalStatusPageComponentStatus {
+  name: string;
+  status: string;
+  description?: string | undefined;
+}
+
+export default interface ExternalStatusPageMonitorResponse {
+  isOnline: boolean;
+  overallStatus: string;
+  componentStatuses: Array<ExternalStatusPageComponentStatus>;
+  activeIncidentCount: number;
+  responseTimeInMs: number;
+  failureCause: string;
+  rawBody?: string | undefined;
+  isTimeout?: boolean | undefined;
+}

package/Types/Monitor/ExternalStatusPageProviderType.ts

@@ -0,0 +1,8 @@
+enum ExternalStatusPageProviderType {
+  AtlassianStatuspage = "Atlassian Statuspage",
+  RSS = "RSS",
+  Atom = "Atom",
+  Auto = "Auto",
+}
+
+export default ExternalStatusPageProviderType;

package/Types/Monitor/MonitorCriteriaInstance.ts

@@ -448,6 +448,33 @@ export default class MonitorCriteriaInstance extends DatabaseProperty {
       return monitorCriteriaInstance;
     }
 
+    if (arg.monitorType === MonitorType.ExternalStatusPage) {
+      const monitorCriteriaInstance: MonitorCriteriaInstance =
+        new MonitorCriteriaInstance();
+
+      monitorCriteriaInstance.data = {
+        id: ObjectID.generate().toString(),
+        monitorStatusId: arg.monitorStatusId,
+        filterCondition: FilterCondition.All,
+        filters: [
+          {
+            checkOn: CheckOn.ExternalStatusPageIsOnline,
+            filterType: FilterType.True,
+            value: undefined,
+          },
+        ],
+        incidents: [],
+        alerts: [],
+        createAlerts: false,
+        changeMonitorStatus: true,
+        createIncidents: false,
+        name: `Check if ${arg.monitorName} is online`,
+        description: `This criteria checks if the ${arg.monitorName} external status page is reachable`,
+      };
+
+      return monitorCriteriaInstance;
+    }
+
     return null;
   }
 
@@ -629,6 +656,46 @@ export default class MonitorCriteriaInstance extends DatabaseProperty {
       };
     }
 
+    if (arg.monitorType === MonitorType.ExternalStatusPage) {
+      monitorCriteriaInstance.data = {
+        id: ObjectID.generate().toString(),
+        monitorStatusId: arg.monitorStatusId,
+        filterCondition: FilterCondition.Any,
+        filters: [
+          {
+            checkOn: CheckOn.ExternalStatusPageIsOnline,
+            filterType: FilterType.False,
+            value: undefined,
+          },
+        ],
+        incidents: [
+          {
+            title: `${arg.monitorName} is offline`,
+            description: `${arg.monitorName} external status page is currently unreachable.`,
+            incidentSeverityId: arg.incidentSeverityId,
+            autoResolveIncident: true,
+            id: ObjectID.generate().toString(),
+            onCallPolicyIds: [],
+          },
+        ],
+        changeMonitorStatus: true,
+        createIncidents: true,
+        createAlerts: false,
+        alerts: [
+          {
+            title: `${arg.monitorName} is offline`,
+            description: `${arg.monitorName} external status page is currently unreachable.`,
+            alertSeverityId: arg.alertSeverityId,
+            autoResolveAlert: true,
+            id: ObjectID.generate().toString(),
+            onCallPolicyIds: [],
+          },
+        ],
+        name: `Check if ${arg.monitorName} is offline`,
+        description: `This criteria checks if the ${arg.monitorName} external status page is unreachable`,
+      };
+    }
+
     if (
       arg.monitorType === MonitorType.API ||
       arg.monitorType === MonitorType.Website

package/Types/Monitor/MonitorStep.ts

@@ -35,6 +35,9 @@ import MonitorStepDnsMonitor, {
 import MonitorStepDomainMonitor, {
   MonitorStepDomainMonitorUtil,
 } from "./MonitorStepDomainMonitor";
+import MonitorStepExternalStatusPageMonitor, {
+  MonitorStepExternalStatusPageMonitorUtil,
+} from "./MonitorStepExternalStatusPageMonitor";
 import Zod, { ZodSchema } from "../../Utils/Schema/Zod";
 
 export interface MonitorStepType {
@@ -84,6 +87,9 @@ export interface MonitorStepType {
 
   // Domain monitor
   domainMonitor?: MonitorStepDomainMonitor | undefined;
+
+  // External Status Page monitor
+  externalStatusPageMonitor?: MonitorStepExternalStatusPageMonitor | undefined;
 }
 
 export default class MonitorStep extends DatabaseProperty {
@@ -112,6 +118,7 @@ export default class MonitorStep extends DatabaseProperty {
       snmpMonitor: undefined,
       dnsMonitor: undefined,
       domainMonitor: undefined,
+      externalStatusPageMonitor: undefined,
     };
   }
 
@@ -145,6 +152,7 @@ export default class MonitorStep extends DatabaseProperty {
       snmpMonitor: undefined,
       dnsMonitor: undefined,
       domainMonitor: undefined,
+      externalStatusPageMonitor: undefined,
     };
 
     return monitorStep;
@@ -252,6 +260,13 @@ export default class MonitorStep extends DatabaseProperty {
     return this;
   }
 
+  public setExternalStatusPageMonitor(
+    externalStatusPageMonitor: MonitorStepExternalStatusPageMonitor,
+  ): MonitorStep {
+    this.data!.externalStatusPageMonitor = externalStatusPageMonitor;
+    return this;
+  }
+
   public setCustomCode(customCode: string): MonitorStep {
     this.data!.customCode = customCode;
     return this;
@@ -380,6 +395,16 @@ export default class MonitorStep extends DatabaseProperty {
       }
     }
 
+    if (monitorType === MonitorType.ExternalStatusPage) {
+      if (!value.data.externalStatusPageMonitor) {
+        return "External status page configuration is required";
+      }
+
+      if (!value.data.externalStatusPageMonitor.statusPageUrl) {
+        return "Status page URL is required";
+      }
+    }
+
     return null;
   }
 
@@ -431,6 +456,11 @@ export default class MonitorStep extends DatabaseProperty {
           domainMonitor: this.data.domainMonitor
             ? MonitorStepDomainMonitorUtil.toJSON(this.data.domainMonitor)
             : undefined,
+          externalStatusPageMonitor: this.data.externalStatusPageMonitor
+            ? MonitorStepExternalStatusPageMonitorUtil.toJSON(
+                this.data.externalStatusPageMonitor,
+              )
+            : undefined,
         },
       });
     }
@@ -542,6 +572,9 @@ export default class MonitorStep extends DatabaseProperty {
       domainMonitor: json["domainMonitor"]
         ? (json["domainMonitor"] as JSONObject)
         : undefined,
+      externalStatusPageMonitor: json["externalStatusPageMonitor"]
+        ? (json["externalStatusPageMonitor"] as JSONObject)
+        : undefined,
     }) as any;
 
     return monitorStep;
@@ -569,6 +602,7 @@ export default class MonitorStep extends DatabaseProperty {
         snmpMonitor: Zod.any().optional(),
         dnsMonitor: Zod.any().optional(),
         domainMonitor: Zod.any().optional(),
+        externalStatusPageMonitor: Zod.any().optional(),
       }).openapi({
         type: "object",
         example: {