Open-source IoT Platform - Device management, data collection, processing and visualization.

dashboardjavacloudcoapiotiot-analyticsiot-platformiot-solutionskafkalwm2mmicroservicesmiddlewaremqttnettyplatformsnmpthingsboardvisualizationwebsocketswidgets

You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Tree: cf9846a58c

AlexDoanTB-patch-1

_tbel_fix_bug_tb_date_timezone_pattern

bug/update-service-content-type

bug/yml-change-check

coap_dtls

copilot/fix-protobuf-field-names

copilot/sub-pr-14760

domains

edqs-grafana

feature/alarm-count-query

feature/basic-widget-config

feature/cf-merge-function

feature/cfs

feature/cn-locale-improvements

feature/controller-logging

feature/deduplication-node

feature/device-library

feature/edqv2

feature/firmware-footprint

feature/home-page

feature/html-container-widget

feature/iot-hub

feature/iot-hub-item-link

feature/lts-4.3-iot-hub

feature/lts-4.3-iot-hub-alarm-rules

feature/menu-refactoring

feature/proto

feature/queries-not-option

feature/queue-consumer-manager

feature/rate-limits-notifications

feature/rpc-monitoring-lts-4.2

feature/rule-node-cache

feature/serialization

feature/sticky-partitioning

feature/sub-service-improvement

feature/tb-event

feature/tenant-export

feature/user-notification-settings

feature/user-settings

feature/websocket-rpc

feature/widget-bundles

fix/activity-notification

fix/alarm-propagation

fix/alarm-rules-doc

fix/gradle-warning-mode-parallel-timeout

fix/msa-tests-log

fix/openapi-spec

fix/rest-api-call-node-blocking-actor-thread

fix_bug_coap_tests

fix_bug_copas_Access_Token_DTLS

fix_bug_tbDate_Object_mapper

fix_bug_transactional_other_entity_with_tests

gh-protection-test

hotfix

improvement/ws/sanitized

improvements/isolated-queues

improvements/tb-upgrade

lts-4.2

lts-4.3

lts-4.3-rc

lts-patch-system-images

lwm2m_fix_bug_null_point_profileleid_after_sleep_master

master

msa-cfs-tests-trace-logs

oauth2_refactoring

rc

rc-4.1.1

release-1.0

release-1.1

release-1.2

release-1.3

release-1.4

release-2.0

release-2.2

release-2.3

release-2.4

release-2.5

release-3.0

release-3.1

release-3.2

release-3.3

release-3.3-CVE-2022-22965

release-3.4

release-3.5

release-3.6

release-3.7

release-3.8

release-3.9

release-4.0

release-4.1

release-4.2

release-4.3

sparkplag_Telemetry

sparkplug-any-name-node-unique-device-names

sparkplug-any-name-node-unique-device-names_temp

system-params-js-evaluator

tbel_encodeUri

test_suite_testcontaihers_2_02

vb-master

vb-rc

wire-schema-replacement

v1.0

v1.0.1

v1.0.2

v1.0.3

v1.1

v1.2

v1.2.1

v1.2.2

v1.2.3

v1.3

v1.3.1

v1.4

v2.0

v2.0.1

v2.0.2

v2.0.3

v2.1

v2.1.1

v2.1.2

v2.1.3

v2.2

v2.3

v2.3.1

v2.4

v2.4.1

v2.4.2

v2.4.2.1

v2.4.3

v2.5

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v3.0

v3.0.1

v3.1

v3.1.1

v3.2

v3.2.1

v3.2.2

v3.3

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.4.1

v3.4

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.5

v3.5.1

v3.6

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.7

v3.8

v3.8.1

v3.9

v3.9.1

v4.0

v4.0.1

v4.0.2

v4.1

v4.2

v4.2.1

v4.2.1.1

v4.2.1.2

v4.2.2

v4.2.2.1

v4.2.2.2

v4.3

v4.3.0.1

v4.3.1

v4.3.1.1

v4.3.1.2

Branches Tags

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from 'cf9846a58c'

${ noResults }

thingsboard/msa/js-executor/api

History

Sergey Matvienko e5734208e9 Hardened tb-js-executor sandbox script invocation (JVN#16937365) The args array passed into the sandbox carried the host realm prototype chain, so a script could reach the host Function constructor via args.constructor.constructor and execute arbitrary code in the host process (read files, run shell commands, dump env vars). Construct args inside the sandbox context using vm.runInContext('[]'), then populate with string primitives. The resulting array's prototype chain belongs to the sandbox realm, so constructor traversal cannot escape. Strings are primitives and safe to cross the realm boundary. Affects use_sandbox=true path only. The use_sandbox=false path (invokeFunction) is intentionally left as-is and explicitly marked as dangerous-by-design — it compiles and runs user-supplied scripts in the host realm via vm.compileFunction (parsingContext only isolates parsing, not execution). It remains as a documented performance trade-off for trusted, non-public clusters; a startup WARN is logged when script.use_sandbox=false, and an operator-facing yaml comment sits next to the setting in config/default.yml. Reported by Hiroki Imai, LAC Co., Ltd.		3 weeks ago
..
httpServer.ts	Update license header	5 months ago
jsExecutor.models.ts	Update license header	5 months ago
jsExecutor.ts	Hardened tb-js-executor sandbox script invocation (JVN#16937365)	3 weeks ago
jsInvokeMessageProcessor.ts	Update license header	5 months ago
utils.ts	Update license header	5 months ago