Merge branch 'master' into dev

Author: dgtlmoon

.github/workflows/test-stack-reusable-workflow.yml

@@ -99,11 +99,7 @@ jobs:
 
       - name: Run Unit Tests
         run: |
-          docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_notification_diff'
-          docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_watch_model'
-          docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_jinja2_security'
-          docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_semver'
-          docker run test-changedetectionio bash -c 'python3 -m unittest changedetectionio.tests.unit.test_html_to_text'         
+          docker run test-changedetectionio bash -c 'cd changedetectionio;pytest tests/unit/'
 
   # Basic pytest tests with ancillary services
   basic-tests:

changedetectionio/__init__.py

@@ -2,7 +2,7 @@
 
 # Read more https://github.com/dgtlmoon/changedetection.io/wiki
 # Semver means never use .01, or 00. Should be .1.
-__version__ = '0.54.7'
+__version__ = '0.54.8'
 
 from changedetectionio.strtobool import strtobool
 from json.decoder import JSONDecodeError

changedetectionio/blueprint/backups/__init__.py

@@ -98,8 +98,8 @@ def construct_blueprint(datastore: ChangeDetectionStore):
     backups_blueprint.register_blueprint(construct_restore_blueprint(datastore))
     backup_threads = []
 
-    @login_optionally_required
     @backups_blueprint.route("/request-backup", methods=['GET'])
+    @login_optionally_required
     def request_backup():
         if any(thread.is_alive() for thread in backup_threads):
             flash(gettext("A backup is already running, check back in a few minutes"), "error")
@@ -141,8 +141,8 @@ def find_backups():
 
         return backup_info
 
-    @login_optionally_required
     @backups_blueprint.route("/download/<string:filename>", methods=['GET'])
+    @login_optionally_required
     def download_backup(filename):
         import re
         filename = filename.strip()
@@ -165,9 +165,9 @@ def download_backup(filename):
         logger.debug(f"Backup download request for '{full_path}'")
         return send_from_directory(os.path.abspath(datastore.datastore_path), filename, as_attachment=True)
 
-    @login_optionally_required
     @backups_blueprint.route("/", methods=['GET'])
     @backups_blueprint.route("/create", methods=['GET'])
+    @login_optionally_required
     def create():
         backups = find_backups()
         output = render_template("backup_create.html",
@@ -176,8 +176,8 @@ def create():
                                  )
         return output
 
-    @login_optionally_required
     @backups_blueprint.route("/remove-backups", methods=['GET'])
+    @login_optionally_required
     def remove_backups():
 
         backup_filepath = os.path.join(datastore.datastore_path, BACKUP_FILENAME_FORMAT.format("*"))

changedetectionio/blueprint/backups/restore.py

@@ -174,8 +174,8 @@ def construct_restore_blueprint(datastore):
     restore_blueprint = Blueprint('restore', __name__, template_folder="templates")
     restore_threads = []
 
-    @login_optionally_required
     @restore_blueprint.route("/restore", methods=['GET'])
+    @login_optionally_required
     def restore():
         form = RestoreForm()
         return render_template("backup_restore.html",
@@ -184,8 +184,8 @@ def restore():
                                max_upload_mb=_MAX_UPLOAD_BYTES // (1024 * 1024),
                                max_decompressed_mb=_MAX_DECOMPRESSED_BYTES // (1024 * 1024))
 
-    @login_optionally_required
     @restore_blueprint.route("/restore/start", methods=['POST'])
+    @login_optionally_required
     def backups_restore_start():
         if any(t.is_alive() for t in restore_threads):
             flash(gettext("A restore is already running, check back in a few minutes"), "error")

changedetectionio/blueprint/browser_steps/__init__.py

@@ -263,8 +263,8 @@ async def start_browsersteps_session(watch_uuid):
         return browsersteps_start_session
 
 
-    @login_optionally_required
     @browser_steps_blueprint.route("/browsersteps_start_session", methods=['GET'])
+    @login_optionally_required
     def browsersteps_start_session():
         # A new session was requested, return sessionID
         import uuid
@@ -299,8 +299,8 @@ def browsersteps_start_session():
         logger.debug("Starting connection with playwright - done")
         return {'browsersteps_session_id': browsersteps_session_id}
 
-    @login_optionally_required
     @browser_steps_blueprint.route("/browsersteps_image", methods=['GET'])
+    @login_optionally_required
     def browser_steps_fetch_screenshot_image():
         from flask import (
             make_response,
@@ -325,8 +325,8 @@ def browser_steps_fetch_screenshot_image():
             return make_response('Unable to fetch image, is the URL correct? does the watch exist? does the step_type-n.jpeg exist?', 401)
 
     # A request for an action was received
-    @login_optionally_required
     @browser_steps_blueprint.route("/browsersteps_update", methods=['POST'])
+    @login_optionally_required
     def browsersteps_ui_update():
         import base64
 

changedetectionio/content_fetchers/webdriver_selenium.py

@@ -99,15 +99,17 @@ def _run_sync():
 
             from selenium.webdriver.remote.remote_connection import RemoteConnection
             from selenium.webdriver.remote.webdriver import WebDriver as RemoteWebDriver
+            from selenium.webdriver.remote.client_config import ClientConfig
+            from urllib3.util import Timeout
             driver = None
             try:
-                # Create the RemoteConnection and set timeout (e.g., 30 seconds)
-                remote_connection = RemoteConnection(
-                    self.browser_connection_url,
+                connection_timeout = int(os.getenv("WEBDRIVER_CONNECTION_TIMEOUT", 90))
+                client_config = ClientConfig(
+                    remote_server_addr=self.browser_connection_url,
+                    timeout=Timeout(connect=connection_timeout, total=connection_timeout)
                 )
-                remote_connection.set_timeout(30)  # seconds
+                remote_connection = RemoteConnection(client_config=client_config)
 
-                # Now create the driver with the RemoteConnection
                 driver = RemoteWebDriver(
                     command_executor=remote_connection,
                     options=options

changedetectionio/languages.py

@@ -37,6 +37,7 @@ def get_timeago_locale(flask_locale):
         'no': 'nb_NO',      # Norwegian Bokmål
         'hi': 'in_HI',      # Hindi
         'cs': 'en',         # Czech not supported by timeago, fallback to English
+        'ja': 'ja',         # Japanese
         'uk': 'uk',         # Ukrainian
         'en_GB': 'en',      # British English - timeago uses 'en'
         'en_US': 'en',      # American English - timeago uses 'en'

changedetectionio/tests/unit/test_auth_decorator_order.py

@@ -0,0 +1,85 @@
+"""
+Static analysis test: verify @login_optionally_required is always applied
+AFTER (inner to) @blueprint.route(), not before it.
+
+In Flask, @route() must be the outermost decorator because it registers
+whatever function it receives. If @login_optionally_required is placed
+above @route(), the raw unprotected function gets registered and auth is
+silently bypassed (GHSA-jmrh-xmgh-x9j4).
+
+Correct order (route outermost, auth inner):
+    @blueprint.route('/path')
+    @login_optionally_required
+    def view(): ...
+
+Wrong order (auth never called):
+    @login_optionally_required   ← registered by route, then discarded
+    @blueprint.route('/path')
+    def view(): ...
+"""
+
+import ast
+import pathlib
+import pytest
+
+REPO_ROOT = pathlib.Path(__file__).parents[3]  # …/changedetection.io/
+SOURCE_ROOT = REPO_ROOT / "changedetectionio"
+
+
+def _is_route_decorator(node: ast.expr) -> bool:
+    """Return True if the decorator looks like @something.route(...)."""
+    return (
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Attribute)
+        and node.func.attr == "route"
+    )
+
+
+def _is_auth_decorator(node: ast.expr) -> bool:
+    """Return True if the decorator is @login_optionally_required."""
+    return isinstance(node, ast.Name) and node.id == "login_optionally_required"
+
+
+def collect_violations() -> list[str]:
+    violations = []
+
+    for path in SOURCE_ROOT.rglob("*.py"):
+        try:
+            tree = ast.parse(path.read_text(encoding="utf-8"), filename=str(path))
+        except SyntaxError:
+            continue
+
+        for node in ast.walk(tree):
+            if not isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)):
+                continue
+
+            decorators = node.decorator_list
+            auth_indices = [i for i, d in enumerate(decorators) if _is_auth_decorator(d)]
+            route_indices = [i for i, d in enumerate(decorators) if _is_route_decorator(d)]
+
+            # Bad order: auth decorator appears at a lower index (higher up) than a route decorator
+            for auth_idx in auth_indices:
+                for route_idx in route_indices:
+                    if auth_idx < route_idx:
+                        rel = path.relative_to(REPO_ROOT)
+                        violations.append(
+                            f"{rel}:{node.lineno} — `{node.name}`: "
+                            f"@login_optionally_required (line {decorators[auth_idx].lineno}) "
+                            f"is above @route (line {decorators[route_idx].lineno}); "
+                            f"auth wrapper will never be called"
+                        )
+
+    return violations
+
+
+def test_auth_decorator_order():
+    violations = collect_violations()
+    if violations:
+        msg = (
+            "\n\nFound routes where @login_optionally_required is placed ABOVE @blueprint.route().\n"
+            "This silently disables authentication — @route() registers the raw function\n"
+            "and the auth wrapper is never called.\n\n"
+            "Fix: move @blueprint.route() to be the outermost (topmost) decorator.\n\n"
+            + "\n".join(f"  • {v}" for v in violations)
+        )
+        pytest.fail(msg)

changedetectionio/tests/unit/test_conditions.py

@@ -64,7 +64,7 @@ def test_conditions_execution_pass(self):
                 "conditions": [
                     {"operator": ">=", "field": "extracted_number", "value": "10"},
                     {"operator": "<=", "field": "extracted_number", "value": "5000"},
-                    {"operator": "in", "field": "page_text", "value": "rock"},
+                    {"operator": "in", "field": "page_filtered_text", "value": "rock"},
                     #{"operator": "starts_with", "field": "page_text", "value": "I saw"},
                 ]
             }

changedetectionio/translations/README.md

@@ -76,6 +76,7 @@ These commands read settings from `../../setup.cfg` automatically.
 - `en_US` - English (US)
 - `fr` - French (Français)
 - `it` - Italian (Italiano)
+- `ja` - Japanese (日本語)
 - `ko` - Korean (한국어)
 - `zh` - Chinese Simplified (中文简体)
 - `zh_Hant_TW` - Chinese Traditional (繁體中文)