[security] Fix Fortify-flagged path traversal, XSS and info-leak issues

api/utils/common.js

@@ -1403,7 +1403,10 @@ common.returnMessage = function(params, returnCode, message, heads, noResult = f
         else {
             console.error("Output already closed, can't write more");
             console.trace();
-            console.log(params);
+            // Don't dump the full params object — req.body/req.headers can
+            // contain credentials, session cookies, or other secrets. Log
+            // only the pathname (query string can carry api_key/auth_token).
+            console.log({pathname: params.urlParts && params.urlParts.pathname, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)});
         }
     }
 };
@@ -1485,7 +1488,10 @@ common.returnOutput = function(params, output, noescape, heads) {
         else {
             console.error("Output already closed, can't write more");
             console.trace();
-            console.log(params);
+            // Don't dump the full params object — req.body/req.headers can
+            // contain credentials, session cookies, or other secrets. Log
+            // only the pathname (query string can carry api_key/auth_token).
+            console.log({pathname: params.urlParts && params.urlParts.pathname, apiPath: params.apiPath, qstringKeys: params.qstring && Object.keys(params.qstring)});
         }
     }
 };

frontend/express/app.js

@@ -479,14 +479,16 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
     app.use(cookieParser());
     //server theme images
     app.use(function(req, res, next) {
-        var urlPath = req.url.replace(countlyConfig.path, "");
+        var urlPath = req.path.replace(countlyConfig.path, "");
         var theme = req.cookies.theme || curTheme;
-        if (theme && theme.length && (req.url.indexOf(countlyConfig.path + '/images/') === 0 || req.url.indexOf(countlyConfig.path + '/geodata/') === 0)) {
-            fs.exists(__dirname + '/public/themes/' + theme + urlPath, function(exists) {
-                if (exists) {
-                    res.sendFile(__dirname + '/public/themes/' + theme + urlPath);
-                }
-                else {
+        if (theme && theme.length && (req.path.indexOf(countlyConfig.path + '/images/') === 0 || req.path.indexOf(countlyConfig.path + '/geodata/') === 0)) {
+            // Both `theme` (cookie) and `urlPath` (URL) are user-controlled.
+            // Hand the relative path to res.sendFile with `root` set to
+            // /public/themes — express normalizes the path and rejects any
+            // `..` traversal before touching the filesystem. Missing files
+            // surface via the error callback and fall through to next().
+            res.sendFile(theme + urlPath, {root: path.resolve(__dirname, 'public/themes')}, function(err) {
+                if (err) {
                     next();
                 }
             });

plugins/sdk/api/api.js

@@ -27,7 +27,8 @@ plugins.register("/permissions/features", function(ob) {
                 common.returnOutput(params, config);
             })
                 .catch(function(err) {
-                    common.returnMessage(params, 400, 'Error: ' + err);
+                    console.error("Error retrieving SDK config", err);
+                    common.returnMessage(params, 400, 'Error retrieving SDK config');
                 })
                 .finally(function() {
                     resolve();
@@ -72,7 +73,8 @@ plugins.register("/permissions/features", function(ob) {
                     common.returnOutput(params, res.config || {});
                 })
                     .catch(function(err) {
-                        common.returnMessage(params, 400, 'Error: ' + err);
+                        console.error("Error retrieving SDK config", err);
+                        common.returnMessage(params, 400, 'Error retrieving SDK config');
                     });
             });
 

plugins/two-factor-auth/frontend/public/templates/enter2fa_login.html

@@ -88,8 +88,8 @@
                     <%- inject_template.form %>
                 <% } %>
                 <div>
-                    <input type="hidden" value="<%- username %>" name="username"/>
-                    <input type="hidden" value="<%- password %>" name="password"/>
+                    <input type="hidden" value="<%= username %>" name="username"/>
+                    <input type="hidden" value="<%= password %>" name="password"/>
                     <input type="hidden" value="<%= csrf %>" name="_csrf" />
                     <input type="hidden" value="en" name="lang" id="form-lang" />
                     <input id="login-button" value="Continue" type="submit" data-localize="two-factor-auth.continue"/>

plugins/two-factor-auth/frontend/public/templates/setup2fa.html

@@ -81,8 +81,8 @@
                     <% } %>
                     <div>
                         <input type="hidden" value="<%= secret_token %>" name="secret_token"/>
-                        <input type="hidden" value="<%- username %>" name="username"/>
-                        <input type="hidden" value="<%- password %>" name="password"/>
+                        <input type="hidden" value="<%= username %>" name="username"/>
+                        <input type="hidden" value="<%= password %>" name="password"/>
                         <input type="hidden" value="<%= csrf %>" name="_csrf" />
                         <input type="hidden" value="en" name="lang" id="form-lang" />
                     </div>