Upgrade Axios to solve Header Injection via Prototype
Pollution high vulnerability
Change-Id: Ia4554e195a636dc3c36e5073002604b955f62a68
(cherry picked from commit 86b439932b)
.touch() cannot be called on the label
input because there is no validations
on the field
Change-Id: I238af53e835ba08cec9d941c75f960739f0c75b4
(cherry picked from commit 74b8a4eb73)
* Replaces PROFILE_ATTRIBUTES_MAP.* lookups for
PROFILE_ATTRIBUTE_MAP.managerSecretary and
PROFILE_ATTRIBUTE_MAP.autoAttendant one the
Manager Secretary and Auto Attendant submenu checks
Change-Id: I4b5395afa037bcd043357965a4f56d7d8d92de7a
(cherry picked from commit 628f6f2b50)
- Removed "Hide number within own PBX" from PBX Seat creation form
- Removed "Hide number within own PBX" from PBX Seats actions menu
- Removed "Music on hold" from PBX Seats actions menu
These preferences are now only configurable in the PBX Seat details to avoid duplication and simplify the UI.
Change-Id: I8c9c8967bf4039f02b5848dea33285d04b0451c1
(cherry picked from commit 2971827b0a)
* Fixes missing translation for "If not available"
in german
* Call back button on the subscriber phonebook
was moved before the more menu
Change-Id: I6daa0623173c0251c2c72149419bc8f122687473
(cherry picked from commit 397d6bdbea)
Fix default value for CQ part:
If the subscriber has call queue activated, use their wrap-up time
as the default value; otherwise, set the default value to 10.
Change-Id: I1e11417690d4119ce396939721cbc96f6c5ef9b8
(cherry picked from commit 6e1140713d)
- Removed `crypto-browserify` from package.json and quasar.config.js
(unused webpack polyfill that was bundling vulnerable bn.js and
elliptic into the production build)
Bumped up packages:
* glob
* globals
* jest
* @quasar/app-webpack
Yarn resolutions added
- `serialize-javascript: ^7.0.3` — fixes high-severity RCE vulnerability
via RegExp.flags/Date.toISOString() (CVE in terser-webpack-plugin and
@quasar/ssr-helpers paths)
- `**/postcss-svgo/svgo: ^4.0.1` — fixes high-severity Billion Laughs
DoS (XML entity expansion) in cssnano's SVG optimization pipeline
- `dot-object/minimatch: ^3.1.2` — fixes high-severity ReDoS in
dot-object's glob dependency
- `**/flatted: 3.4.0` — fixes high-severity unbounded recursion DoS
in eslint and eslint-webpack-plugin's caching layer
What remains (30 vulnerabilities — all upstream-blocked)
The remaining vulnerabilities are entirely confined to dev-only
tooling and cannot be fixed without upstream releases:
- minimatch ReDoS across jest, @vue/test-utils, jest-serializer-vue,
@quasar/app-webpack, @quasar/quasar-app-extension-testing-unit-jest
- ajv ReDoS across eslint, eslint-webpack-plugin, @quasar/app-webpack
- webpack SSRF (buildHttp feature, not used in this project)
- qs DoS in webpack-dev-server's express (local dev only)
- esbuild dev server CORS issue (local dev only)
- vue-template-compiler XSS (no patch available upstream)
- tmp symlink issue, @tootallnate/once control flow (test tooling only)
Change-Id: I72f34757538f97bb3495a57d7f0263df58102f1e
(cherry picked from commit 1ebe3c0683)
Remove the use of apiv2 for the customer phonebook
requests as the endpoint is not available on mr13.5.x.
NGCP-Flow: mr13.5
Change-Id: I7f9baffd78f01ffb244209f714126726676252b7
- Convert all actions from .then()/.catch() chains to async/await
- Extract savePreference() helper to centralise error handling and
state commits, avoiding repetition across every action
- Extract updateBooleanPreference() helper. It covers the following
scenarios:
* new value is false: remove PATCH property in DB
* new value is true: add PATCH property in DB
* new value is true AND the value already exist in the
customer preferences: replace PATCH to amend property in DB
(added to avoid regression introduced by previous code, which
saved a property as false instead of removing it)s
- Add proper add/set/remove logic to updateBlockInList,
updateBlockOutList and updateBlockOutOverridePin: previously all
three always called setCustomerPreference regardless of whether the
preference existed or was empty
- Split logic to add, remove and edit customer preferences
Change-Id: Ie419de31631b9ef1b06653446dfbe1a33a10c225
(cherry picked from commit 58e7a88272)
* Implemented priority flow as sort -> normalize to 0..n-1
across fetch/create/edit/remove
* On creation handles priority incrementally
* On edit, arranges and normalizes (if needed) priority values
* Enforced the same move rules in store action (moveDestination)
to block invalid reorders.
* Removes references to LocalSubscriber
* Fixes unit tests
Change-Id: Ib64cc30ea75141692085ec38df5c528565389469
(cherry picked from commit 38d6e2089c)
The CF to Local Subscriber feature has been removed
in ticket MT#59011 but never deleted from CSC.
Change-Id: I1ed32c4db3e4ee2e0be8ab2218efe0ec48c3a098
(cherry picked from commit 8c51d8f041)
- Add filter by name as a default search criteria for subscriber
phonebook
Change-Id: I5248f098d9b5ae9e792222f6e185695aa150e8ab
(cherry picked from commit 45131fd432)
* fix updateSharedValue to be less flacky: it was using
the reference of row, mutated, to make the backend request.
It now use a value stored in a variable.
* amend getList to make sure we pass the default page (1)
when looking for all rows with api v1.
Change-Id: Ia8c4fcb1547c16a6a3e862f864fbc5aecda3e065
(cherry picked from commit 9db53bc3ce)
Our nightly tests flagged the fact that
the feature was unstable and unrealiable.
Changes:
* Extract subscriber phonebook api and state
* Change direct use of http in the sub-phonebook
method to use the relevant method in common.js
* Simplify logic to PATCH single properties
with a unique PUT in the Phonebook entry form
* Amend getList, handleResponseError and
put to allow use with API v2 endpoints
* Amend translations and methods to replace
"phonebook" with "phonebook entry" where
necessary
Change-Id: I189d45fe426a1ded400a251d7efdfa72f76f9061
(cherry picked from commit ff40864da0)
Update axios to version 1.13.5 to fix a
denial‑of‑service issue in mergeConfig when
using malicious config object.
Change-Id: I4c1d2b3de42d7ab854ffaaee07e30fcb98d4cadc
(cherry picked from commit d62d29bfc1)
- Keep callNumberInput getter returning full input for display purposes
- Use callNumberNormalized getter to strip domain before making calls
- Add callNumberNormalized to component's mapped getters
- Update startCall validation to use normalized number
Change-Id: I4172a4f426bf7f827e3ff717a901b8a64f4264d1
(cherry picked from commit afd3e09d55)
- force @isaacs/brace-expansion 5.0.1 (patches minimatch/glob issue)
- force qs 6.14.1 (patches express/body-parser issue from quasar tooling)
- force tar 7.5.7 (patches node-gyp/tar issue pulled via npm)
- note: npm itself has no patch plus the dep was not used so we
removed it.
Change-Id: Ic145cbc509d80cf9d96b9a053de1ce0a7d8dc5a8
(cherry picked from commit cecc11ab30)
The custom announcements were not showing in
the CF menu under the PBXGroup section
because the action to load the announcements
was missing from the mounting hook.
Change-Id: I5813f2ce4471aa5a51ebc08ed3cdc08bde16b931
(cherry picked from commit acd9d84724)
Trickle ICE candidate updates were not sent through
to kamailio/rtpengine. This was happening because
there was not ICE configuration.
Change-Id: I2a3ae1ab92ac9d6e766bd46915930fd553a6ff26
(cherry picked from commit ed162e8e56)
Bump axios from previous version to 1.13.1 for security and stability improvements
Change-Id: I3855f02d71837f0b6c7e86590f6b8e5ab16d2cb4
(cherry picked from commit 3a6f992f4a)
* Adds new messages for CE users to replace the
"No Calls, Voicemails or Faxes found" greeting
and "Calls, Faxes, VoiceMails" submenu item with
"No Calls or Voicemails found" and "Calls, VoiceMails"
respectively
* Adds translations for both the "No Calls or Voicemails found"
and "Calls, VoiceMails" messages
* Fixes typo in the word occurred on en.json
* Fixes some French and Spanish translation errors
* Fixes the call Cost formatting under CscCallItem.vue
Change-Id: I0da1dbf78ea1a609a0e1861fa1c14ee41a41d563
(cherry picked from commit 4d92ef013e)
The issue was caused by a conditional(v-if=!menuMinimized) inside the <q-toolbar>.
menuMinimized property controls whether the side menu is collapsed
or expanded and affects multiple components.
When it changes (on hover or pin toggle), the layout width updates,
which can trigger the ResizeObserver.
Using v-if was recreating/destroying the element each time,
causing unnecessary layout recalculations.
The solution is to replace it with v-show="!menuPinned" which keeps
the element in the DOM (only toggles display), preventing extra
ResizeObserver triggers and making transitions smoother.
Change-Id: I2e544bb0451cc6a17a4bbeaf482ce678173adcd4
(cherry picked from commit 69e43c898e)
Remove the adminOnly check on this route.
Access to this page should be permitted for
PBX users, regardless of their admin status.
Change-Id: Ida69f96acc1e15b8779df7893202519450c77ff3
(cherry picked from commit f0bc84584b)
This commit disables subscriber phonebook in CE platforms
as the header manipulation and phonebook are only pro/carrier
features.
Change-Id: Icb5ceec69f675fbac61e9daf81698c81d0c8c28d
(cherry picked from commit 31fa24a8c9)
Add the query param ?create_primary_acli=false
to PATCH /api/numbers/{id} as default
behaviour.
Change-Id: Ib05602ed7850a19c4a984576fd3645ec158c4b0d
(cherry picked from commit 7cb3addfb9)
Fixed an issue where the component tried to access the `id` property
of `this.groupSelected` when it was undefined. This happened because
the state gets cleared on refresh, and the component didn't have a
check to reload the necessary resources.
- Added check to ensure resources are reloaded if state is cleared
- Prevent accessing `id` of undefined in the component
Change-Id: Ib6b669df87d255cf174254b32fa1c451d0901f73
(cherry picked from commit 4e72e67697)
The PBX seat page was crashing because v2 calls always return
unauthorized. An investigation is ongoing to determine whether
NCOS seat should be accessed by subscriber. In the meantime,
errors are handled gracefully so the user can continue using
the app.
Change-Id: Ie4ce6c7970815b448f406bb5e64aeefda348aeed
(cherry picked from commit f34d8e153d)
Display transcriptions in a separate dialog accessible
by the 3 dots menu in the voicebox tables and by the
document icon in the call recordings list.
Change-Id: I6ad42760dc65b3df178afe23ac4c5f19a7c4cf43
On initUser the app tries to push items the
router before it is initialized, which results
in the error "Can't access property push,
this.$router is undefined". We add optional
chaining to prevent this from happening.
Change-Id: I6e2bf6336c8e91682962154219fc1c0bc1dbeacb
In CscPageCallRecording a watch function was directly
modifying the Vuex state, which is not allowed in
strict mode. This change ensures that each recording
object is cloned before modification, preventing
unintended mutations of store data.
Change-Id: Ie564da2ce31bd61772a05450be21a9a0717632ef
Use new /api/conversations properties to show
phonebook name matching. If the number is
not saved in the phonebook the app shows
the simple number.
Change-Id: Ia80a74c74ea250ed4f697b2897aba380d49bc8ca
Revert changes from commit 716d45f6 that altered setPreference.
The previous commit limited the function to handling only true/false
preferences, removing the ability to replace existing values.
This change restores the original behavior, allowing setPreference
to update existing preferences with new values, not just booleans.
Change-Id: I9658515d9714c30607a652fcc0ee3af86a0c8fcd
Remove the following obsolete attributes from the
Subscriber Profiles list in the Admin UI:
- rerouting_mode
- rerouting_codes
- fileshare
- sms
Change-Id: I6074322155329ad9d9c15f65782f3ae76eac7848
This update introduced many breaking changes.
Listed here the most important ones:
* quasar.conf.js file has been renamed
quasar.config.js.
* Quasar v4 replaced the old /src/index.template.html
with a new /index.html at the root of the project.
The special comment <!-- quasar:entry-point -->
is used to inject scripts/styles automatically.
* Use setupMiddlewares instead of onBeforeSetupMiddleware.
* proxy is now an array of proxy config objects.
* Dropped support for Vuex. We can still use Vuex as any
Vue plugin, but we have to manage everything (installing the
store, no store parameter in boot files, etc.).
We'll migrate to Pinia asap.
* Updated postcssrc according to docs
Change-Id: I585a3e2d17f666d9ca2773fa446d644f0fc201a2
- Verify and correct route access for admin-only CSC pages
- Update route guard logic to support:
* User role (admin / non-admin)
* Exact match on user profile attribute
* Presence of one or more profile attributes
* Required licenses (all must exist)
* Exact platfom feature
* Exact capability match
- Ensure route guards match menu visibility restrictions
- Document route guards and menu visibility logic
- Note: for fax settings, we use the extra variable
`isFaxServerSettingsActive` to determine whether the toggle
in the fax server menu should be on or off.
Change-Id: Id60a0e8b2145701ed4ae52d0859da46172076a89
Allow setting a free-text label when configuring lines
(Forward, Transfer, SpeedDial) with a custom entry.
The label is only applied if a target number is set.
Change-Id: Ida316ac79d454145ae1238ca5d297bff28c92af7
Previously, the arrays for weekdays and months didn’t match
the values used in admin-ui (Sunday=1, Saturday=7, January=1,
December=12). This commit updates the calculation function
to match admin-ui conventions, ensuring consistency since
the data originates from the admin panel and is read-only here.
Change-Id: I121c18ffb901beaece19124865b88259ffcb2d3f
Updated access rules for ADMIN subscribers:
- "Fax Settings > Mail to Fax" is now always visible.
* Admin users: The "ACTIVE" toggle can be changed,
and content is editable.
* Non-Admin users: The "ACTIVE" toggle cannot be changed,
and content is editable.
- "PBX Configuration > Seats > ID > Fax Settings > Mail to Fax" is
now always visible
* Admin users: The "ACTIVE" toggle can now be changed,
and content is editable.
* Non-Admin users: menu not visible
Change-Id: I1f30be27fde8a20092d8321e128f5d27dceec734
Debora Crescenzo
Giancarlo Errigo Mattos
nidrissi-zouggari
Nico Schedel
Sipwise Jenkins Builder