From 27508d934dc7df489638c686317a894877b1a407 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Fri, 4 Oct 2024 10:45:03 +0100
Subject: [PATCH 01/13] Validate that you cannot create a calculation view with
 more than 5 calculation fields.

---
 .../src/api/routes/tests/viewV2.spec.ts       | 47 +++++++++++++++++++
 packages/server/src/sdk/app/views/index.ts    |  8 ++++
 2 files changed, 55 insertions(+)

diff --git a/packages/server/src/api/routes/tests/viewV2.spec.ts b/packages/server/src/api/routes/tests/viewV2.spec.ts
index a1a4475ee5..7ad1be4c1f 100644
--- a/packages/server/src/api/routes/tests/viewV2.spec.ts
+++ b/packages/server/src/api/routes/tests/viewV2.spec.ts
@@ -568,6 +568,53 @@ describe.each([
         expect(sum.calculationType).toEqual(CalculationType.SUM)
         expect(sum.field).toEqual("Price")
       })
+
+      it("cannot create a calculation view with more than 5 aggregations", async () => {
+        await config.api.viewV2.create(
+          {
+            tableId: table._id!,
+            name: generator.guid(),
+            schema: {
+              sum: {
+                visible: true,
+                calculationType: CalculationType.SUM,
+                field: "Price",
+              },
+              count: {
+                visible: true,
+                calculationType: CalculationType.COUNT,
+                field: "Price",
+              },
+              min: {
+                visible: true,
+                calculationType: CalculationType.MIN,
+                field: "Price",
+              },
+              max: {
+                visible: true,
+                calculationType: CalculationType.MAX,
+                field: "Price",
+              },
+              avg: {
+                visible: true,
+                calculationType: CalculationType.AVG,
+                field: "Price",
+              },
+              sum2: {
+                visible: true,
+                calculationType: CalculationType.SUM,
+                field: "Price",
+              },
+            },
+          },
+          {
+            status: 400,
+            body: {
+              message: "Calculation views can only have a maximum of 5 fields",
+            },
+          }
+        )
+      })
     })
 
     describe("update", () => {
diff --git a/packages/server/src/sdk/app/views/index.ts b/packages/server/src/sdk/app/views/index.ts
index 73785edd98..be7259b057 100644
--- a/packages/server/src/sdk/app/views/index.ts
+++ b/packages/server/src/sdk/app/views/index.ts
@@ -64,6 +64,14 @@ async function guardCalculationViewSchema(
   view: Omit<ViewV2, "id" | "version">
 ) {
   const calculationFields = helpers.views.calculationFields(view)
+
+  if (Object.keys(calculationFields).length > 5) {
+    throw new HTTPError(
+      "Calculation views can only have a maximum of 5 fields",
+      400
+    )
+  }
+
   for (const calculationFieldName of Object.keys(calculationFields)) {
     const schema = calculationFields[calculationFieldName]
     const isCount = schema.calculationType === CalculationType.COUNT

From 27578db4b7e0298cd11aa937f7b795252bf8e918 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Mon, 7 Oct 2024 09:48:33 +0100
Subject: [PATCH 02/13] Fix SQS error handling.

---
 packages/backend-core/src/db/couch/DatabaseImpl.ts | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/packages/backend-core/src/db/couch/DatabaseImpl.ts b/packages/backend-core/src/db/couch/DatabaseImpl.ts
index 274c1b9e93..2ca52a2dce 100644
--- a/packages/backend-core/src/db/couch/DatabaseImpl.ts
+++ b/packages/backend-core/src/db/couch/DatabaseImpl.ts
@@ -371,11 +371,15 @@ export class DatabaseImpl implements Database {
     return this.performCall(() => {
       return async () => {
         const response = await directCouchUrlCall(args)
-        const json = await response.json()
-        if (response.status > 300) {
-          throw json
+        if (response.status >= 300) {
+          const text = await response.text()
+          console.error(`SQS error: ${text}`)
+          throw new CouchDBError(
+            "error while running SQS query, please try again later",
+            { name: "sqs_error", status: response.status }
+          )
         }
-        return json as T
+        return (await response.json()) as T
       }
     })
   }

From e6e25fdf943d69e975f025bec9e51dc26227dec1 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Mon, 7 Oct 2024 14:59:29 +0100
Subject: [PATCH 03/13] Allow calculation views to hide required fields.

---
 .../src/api/routes/tests/viewV2.spec.ts       | 20 +++++++++++++++++++
 packages/server/src/sdk/app/views/index.ts    |  3 ++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/packages/server/src/api/routes/tests/viewV2.spec.ts b/packages/server/src/api/routes/tests/viewV2.spec.ts
index 5238b9b752..22c83419a4 100644
--- a/packages/server/src/api/routes/tests/viewV2.spec.ts
+++ b/packages/server/src/api/routes/tests/viewV2.spec.ts
@@ -1024,6 +1024,26 @@ describe.each([
             )
           })
 
+          it("can add a new group by field that is invisible, even if required on the table", async () => {
+            view.schema!.name = { visible: false }
+            await config.api.viewV2.update(view)
+
+            const { rows } = await config.api.row.search(view.id)
+            expect(rows).toHaveLength(2)
+            expect(rows).toEqual(
+              expect.arrayContaining([
+                {
+                  country: "USA",
+                  age: 65,
+                },
+                {
+                  country: "UK",
+                  age: 61,
+                },
+              ])
+            )
+          })
+
           it("can add a new calculation field", async () => {
             view.schema!.count = {
               visible: true,
diff --git a/packages/server/src/sdk/app/views/index.ts b/packages/server/src/sdk/app/views/index.ts
index 73785edd98..32fd696f20 100644
--- a/packages/server/src/sdk/app/views/index.ts
+++ b/packages/server/src/sdk/app/views/index.ts
@@ -178,7 +178,7 @@ function checkRequiredFields(
       continue
     }
 
-    if (!viewSchemaField?.visible) {
+    if (!helpers.views.isCalculationView(view) && !viewSchemaField?.visible) {
       throw new HTTPError(
         `You can't hide "${field.name}" because it is a required field.`,
         400
@@ -186,6 +186,7 @@ function checkRequiredFields(
     }
 
     if (
+      viewSchemaField &&
       helpers.views.isBasicViewField(viewSchemaField) &&
       viewSchemaField.readonly
     ) {

From f2e78ec4d500ae03b3bd1e2530c9e0893fdefe91 Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Mon, 7 Oct 2024 16:39:44 +0100
Subject: [PATCH 04/13] Don't check required fields at all for calculation
 views.

---
 packages/server/src/sdk/app/views/index.ts | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/server/src/sdk/app/views/index.ts b/packages/server/src/sdk/app/views/index.ts
index 32fd696f20..fe2360f9d0 100644
--- a/packages/server/src/sdk/app/views/index.ts
+++ b/packages/server/src/sdk/app/views/index.ts
@@ -114,7 +114,11 @@ async function guardViewSchema(
   }
 
   await checkReadonlyFields(table, view)
-  checkRequiredFields(table, view)
+
+  if (!helpers.views.isCalculationView(view)) {
+    checkRequiredFields(table, view)
+  }
+
   checkDisplayField(view)
 }
 
@@ -178,7 +182,7 @@ function checkRequiredFields(
       continue
     }
 
-    if (!helpers.views.isCalculationView(view) && !viewSchemaField?.visible) {
+    if (!viewSchemaField?.visible) {
       throw new HTTPError(
         `You can't hide "${field.name}" because it is a required field.`,
         400
@@ -186,7 +190,6 @@ function checkRequiredFields(
     }
 
     if (
-      viewSchemaField &&
       helpers.views.isBasicViewField(viewSchemaField) &&
       viewSchemaField.readonly
     ) {

From af2071c60cee190afd0dd2e1198ccdb9b098c347 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Mon, 7 Oct 2024 16:44:28 +0100
Subject: [PATCH 05/13] fixing vulns for ent client

---
 hosting/proxy/nginx.prod.conf                 |  2 +-
 .../controllers/static/templates/preview.hbs  |  2 +-
 packages/server/src/environment.ts            |  1 +
 .../src/sdk/app/rows/tests/utils.spec.ts      | 41 +++++++++++++++++++
 packages/server/src/sdk/app/rows/utils.ts     | 10 +++++
 5 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/hosting/proxy/nginx.prod.conf b/hosting/proxy/nginx.prod.conf
index 59722dac5c..6d5db51bce 100644
--- a/hosting/proxy/nginx.prod.conf
+++ b/hosting/proxy/nginx.prod.conf
@@ -51,7 +51,7 @@ http {
     proxy_buffering off;
 
     set $csp_default "default-src 'self'";
-    set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
+    set $csp_script "script-src 'self' 'nonce-builderPreview' unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
     set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
     set $csp_object "object-src 'none'";
     set $csp_base_uri "base-uri 'self'";
diff --git a/packages/server/src/api/controllers/static/templates/preview.hbs b/packages/server/src/api/controllers/static/templates/preview.hbs
index 54b5b1a4e4..be38825ec9 100644
--- a/packages/server/src/api/controllers/static/templates/preview.hbs
+++ b/packages/server/src/api/controllers/static/templates/preview.hbs
@@ -31,7 +31,7 @@
     }
   </style>
   <script src='{{ clientLibPath }}'></script>
-  <script>
+  <script nonce="builderPreview">
     function receiveMessage(event) {
       if (!event.data) {
         return
diff --git a/packages/server/src/environment.ts b/packages/server/src/environment.ts
index 585eb6a7f2..45d675ec3f 100644
--- a/packages/server/src/environment.ts
+++ b/packages/server/src/environment.ts
@@ -83,6 +83,7 @@ const environment = {
   PLUGINS_DIR: process.env.PLUGINS_DIR || DEFAULTS.PLUGINS_DIR,
   MAX_IMPORT_SIZE_MB: process.env.MAX_IMPORT_SIZE_MB,
   SESSION_EXPIRY_SECONDS: process.env.SESSION_EXPIRY_SECONDS,
+  XSS_SAFE_MODE: process.env.XSS_SAFE_MODE,
   // SQL
   SQL_MAX_ROWS: process.env.SQL_MAX_ROWS,
   SQL_LOGGING_ENABLE: process.env.SQL_LOGGING_ENABLE,
diff --git a/packages/server/src/sdk/app/rows/tests/utils.spec.ts b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
index 548b2b6bc9..cd25880a85 100644
--- a/packages/server/src/sdk/app/rows/tests/utils.spec.ts
+++ b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
@@ -8,6 +8,7 @@ import {
 import { generateTableID } from "../../../../db/utils"
 import { validate } from "../utils"
 import { generator } from "@budibase/backend-core/tests"
+import environment from "../../../../environment"
 
 describe("validate", () => {
   const hour = () => generator.hour().toString().padStart(2, "0")
@@ -332,4 +333,44 @@ describe("validate", () => {
       })
     })
   })
+
+  describe("XSS Safe mode", () => {
+    const getTable = (): Table => ({
+      type: "table",
+      _id: generateTableID(),
+      name: "table",
+      sourceId: INTERNAL_TABLE_SOURCE_ID,
+      sourceType: TableSourceType.INTERNAL,
+      schema: {
+        text: {
+          name: "sometext",
+          type: FieldType.STRING,
+        },
+      },
+    })
+    it.each([
+      "SELECT * FROM users WHERE username = 'admin' --",
+      "SELECT * FROM users WHERE id = 1; DROP TABLE users;",
+      "1' OR '1' = '1",
+      "' OR 'a' = 'a",
+      "<script>alert('XSS');</script>",
+      "\"><img src=x onerror=alert(1)>",
+      "</script><script>alert('test')</script>",
+      "<div onmouseover=\"alert('XSS')\">Hover over me!</div>",
+      "'; EXEC sp_msforeachtable 'DROP TABLE ?'; --",
+      "{alert('Injected')}",
+      "UNION SELECT * FROM users",
+      "INSERT INTO users (username, password) VALUES ('admin', 'password')",
+      "/* This is a comment */ SELECT * FROM users",
+      "<iframe src=\"http://malicious-site.com\"></iframe>"
+    ])('test potentially unsafe input: %s', async input => {
+      environment.XSS_SAFE_MODE = true
+      const table = getTable()
+      const row = { text: input }
+      const output = await validate({ source: table, row })
+      expect(output.valid).toBe(false)
+      expect(output.errors).toBe(["Input not sanitised - potentially vulnerable to XSS"])
+      environment.XSS_SAFE_MODE = false
+    })
+  })
 })
diff --git a/packages/server/src/sdk/app/rows/utils.ts b/packages/server/src/sdk/app/rows/utils.ts
index 6ef4dcbc8e..4c02889f8f 100644
--- a/packages/server/src/sdk/app/rows/utils.ts
+++ b/packages/server/src/sdk/app/rows/utils.ts
@@ -22,6 +22,7 @@ import { extractViewInfoFromID, isRelationshipColumn } from "../../../db/utils"
 import { isSQL } from "../../../integrations/utils"
 import { docIds, sql } from "@budibase/backend-core"
 import { getTableFromSource } from "../../../api/controllers/row/utils"
+import env from "../../../environment"
 
 const SQL_CLIENT_SOURCE_MAP: Record<SourceName, SqlClient | undefined> = {
   [SourceName.POSTGRES]: SqlClient.POSTGRES,
@@ -43,6 +44,8 @@ const SQL_CLIENT_SOURCE_MAP: Record<SourceName, SqlClient | undefined> = {
   [SourceName.BUDIBASE]: undefined,
 }
 
+const XSS_INPUT_REGEX =  /[<>;"'(){}]|--|\/\*|\*\/|union|select|insert|drop|delete|update|exec|script/i
+
 export function getSQLClient(datasource: Datasource): SqlClient {
   if (!isSQL(datasource)) {
     throw new Error("Cannot get SQL Client for non-SQL datasource")
@@ -222,6 +225,13 @@ export async function validate({
     } else {
       res = validateJs.single(row[fieldName], constraints)
     }
+
+    if (env.XSS_SAFE_MODE && typeof row[fieldName] === "string") {
+      if (XSS_INPUT_REGEX.test(row[fieldName])) {
+        errors[fieldName] = ['Input not sanitised - potentially vulnerable to XSS']
+      }
+    }
+
     if (res) errors[fieldName] = res
   }
   return { valid: Object.keys(errors).length === 0, errors }

From ce61af1331ebaf6034b05af69afffba9f121c08e Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Mon, 7 Oct 2024 16:47:49 +0100
Subject: [PATCH 06/13] XSS safe mode to prevent unsanitised input

---
 packages/server/src/sdk/app/rows/tests/utils.spec.ts | 10 ++++++----
 packages/server/src/sdk/app/rows/utils.ts            |  7 +++++--
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/packages/server/src/sdk/app/rows/tests/utils.spec.ts b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
index cd25880a85..9b7711993e 100644
--- a/packages/server/src/sdk/app/rows/tests/utils.spec.ts
+++ b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
@@ -354,7 +354,7 @@ describe("validate", () => {
       "1' OR '1' = '1",
       "' OR 'a' = 'a",
       "<script>alert('XSS');</script>",
-      "\"><img src=x onerror=alert(1)>",
+      '"><img src=x onerror=alert(1)>',
       "</script><script>alert('test')</script>",
       "<div onmouseover=\"alert('XSS')\">Hover over me!</div>",
       "'; EXEC sp_msforeachtable 'DROP TABLE ?'; --",
@@ -362,14 +362,16 @@ describe("validate", () => {
       "UNION SELECT * FROM users",
       "INSERT INTO users (username, password) VALUES ('admin', 'password')",
       "/* This is a comment */ SELECT * FROM users",
-      "<iframe src=\"http://malicious-site.com\"></iframe>"
-    ])('test potentially unsafe input: %s', async input => {
+      '<iframe src="http://malicious-site.com"></iframe>',
+    ])("test potentially unsafe input: %s", async input => {
       environment.XSS_SAFE_MODE = true
       const table = getTable()
       const row = { text: input }
       const output = await validate({ source: table, row })
       expect(output.valid).toBe(false)
-      expect(output.errors).toBe(["Input not sanitised - potentially vulnerable to XSS"])
+      expect(output.errors).toBe([
+        "Input not sanitised - potentially vulnerable to XSS",
+      ])
       environment.XSS_SAFE_MODE = false
     })
   })
diff --git a/packages/server/src/sdk/app/rows/utils.ts b/packages/server/src/sdk/app/rows/utils.ts
index 4c02889f8f..bded6a7a18 100644
--- a/packages/server/src/sdk/app/rows/utils.ts
+++ b/packages/server/src/sdk/app/rows/utils.ts
@@ -44,7 +44,8 @@ const SQL_CLIENT_SOURCE_MAP: Record<SourceName, SqlClient | undefined> = {
   [SourceName.BUDIBASE]: undefined,
 }
 
-const XSS_INPUT_REGEX =  /[<>;"'(){}]|--|\/\*|\*\/|union|select|insert|drop|delete|update|exec|script/i
+const XSS_INPUT_REGEX =
+  /[<>;"'(){}]|--|\/\*|\*\/|union|select|insert|drop|delete|update|exec|script/i
 
 export function getSQLClient(datasource: Datasource): SqlClient {
   if (!isSQL(datasource)) {
@@ -228,7 +229,9 @@ export async function validate({
 
     if (env.XSS_SAFE_MODE && typeof row[fieldName] === "string") {
       if (XSS_INPUT_REGEX.test(row[fieldName])) {
-        errors[fieldName] = ['Input not sanitised - potentially vulnerable to XSS']
+        errors[fieldName] = [
+          "Input not sanitised - potentially vulnerable to XSS",
+        ]
       }
     }
 

From 12fdb930aa005a30e0f03999e718a27e2e3d80de Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Mon, 7 Oct 2024 17:31:45 +0100
Subject: [PATCH 07/13] remove nonce

---
 .../server/src/api/controllers/static/templates/preview.hbs     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/src/api/controllers/static/templates/preview.hbs b/packages/server/src/api/controllers/static/templates/preview.hbs
index be38825ec9..54b5b1a4e4 100644
--- a/packages/server/src/api/controllers/static/templates/preview.hbs
+++ b/packages/server/src/api/controllers/static/templates/preview.hbs
@@ -31,7 +31,7 @@
     }
   </style>
   <script src='{{ clientLibPath }}'></script>
-  <script nonce="builderPreview">
+  <script>
     function receiveMessage(event) {
       if (!event.data) {
         return

From 809d2926691f35d22f8feaadc846fc11cb9cd5ba Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Mon, 7 Oct 2024 17:34:04 +0100
Subject: [PATCH 08/13] revert nginx prod config

---
 hosting/proxy/nginx.prod.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosting/proxy/nginx.prod.conf b/hosting/proxy/nginx.prod.conf
index 6d5db51bce..59722dac5c 100644
--- a/hosting/proxy/nginx.prod.conf
+++ b/hosting/proxy/nginx.prod.conf
@@ -51,7 +51,7 @@ http {
     proxy_buffering off;
 
     set $csp_default "default-src 'self'";
-    set $csp_script "script-src 'self' 'nonce-builderPreview' unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
+    set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
     set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
     set $csp_object "object-src 'none'";
     set $csp_base_uri "base-uri 'self'";

From 1e6a7b66e8d5b528039e025f1d92735f741246e1 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Mon, 7 Oct 2024 17:42:35 +0100
Subject: [PATCH 09/13] pr comments

---
 .../src/sdk/app/rows/tests/utils.spec.ts      | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/packages/server/src/sdk/app/rows/tests/utils.spec.ts b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
index 9b7711993e..a7bfee3ea9 100644
--- a/packages/server/src/sdk/app/rows/tests/utils.spec.ts
+++ b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
@@ -8,7 +8,7 @@ import {
 import { generateTableID } from "../../../../db/utils"
 import { validate } from "../utils"
 import { generator } from "@budibase/backend-core/tests"
-import environment from "../../../../environment"
+import { withEnv } from "../../../../environment"
 
 describe("validate", () => {
   const hour = () => generator.hour().toString().padStart(2, "0")
@@ -364,15 +364,15 @@ describe("validate", () => {
       "/* This is a comment */ SELECT * FROM users",
       '<iframe src="http://malicious-site.com"></iframe>',
     ])("test potentially unsafe input: %s", async input => {
-      environment.XSS_SAFE_MODE = true
-      const table = getTable()
-      const row = { text: input }
-      const output = await validate({ source: table, row })
-      expect(output.valid).toBe(false)
-      expect(output.errors).toBe([
-        "Input not sanitised - potentially vulnerable to XSS",
-      ])
-      environment.XSS_SAFE_MODE = false
+      withEnv({ XSS_SAFE_MODE: "1" }, async () => {
+        const table = getTable()
+        const row = { text: input }
+        const output = await validate({ source: table, row })
+        expect(output.valid).toBe(false)
+        expect(output.errors).toStrictEqual({
+          text: ["Input not sanitised - potentially vulnerable to XSS"],
+        })
+      })
     })
   })
 })

From 717fa00c323aea9878b9c84bfd6288965e27687c Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Mon, 7 Oct 2024 17:48:38 +0100
Subject: [PATCH 10/13] allow XSS safe mode in helm chart

---
 charts/budibase/templates/app-service-deployment.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/budibase/templates/app-service-deployment.yaml b/charts/budibase/templates/app-service-deployment.yaml
index 2b099d01f5..4d0560312f 100644
--- a/charts/budibase/templates/app-service-deployment.yaml
+++ b/charts/budibase/templates/app-service-deployment.yaml
@@ -184,6 +184,10 @@ spec:
         - name: NODE_DEBUG
           value: {{ .Values.services.apps.nodeDebug | quote }}
         {{ end }}
+        {{ if .Values.services.apps.xssSafeMode }}
+        - name: XSS_SAFE_MODE
+          value: {{ .Values.services.apps.xssSafeMode | quote }}
+        {{ end }}
         {{ if .Values.globals.datadogApmEnabled }}
         - name: DD_LOGS_INJECTION
           value: {{ .Values.globals.datadogApmEnabled | quote }}

From 3d83676c033cf5d20ce88ac472b81053fb2126f8 Mon Sep 17 00:00:00 2001
From: Martin McKeaveney <martinmckeaveney@gmail.com>
Date: Mon, 7 Oct 2024 18:13:41 +0100
Subject: [PATCH 11/13] adding missing await

---
 packages/server/src/sdk/app/rows/tests/utils.spec.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/src/sdk/app/rows/tests/utils.spec.ts b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
index a7bfee3ea9..516334d31d 100644
--- a/packages/server/src/sdk/app/rows/tests/utils.spec.ts
+++ b/packages/server/src/sdk/app/rows/tests/utils.spec.ts
@@ -364,7 +364,7 @@ describe("validate", () => {
       "/* This is a comment */ SELECT * FROM users",
       '<iframe src="http://malicious-site.com"></iframe>',
     ])("test potentially unsafe input: %s", async input => {
-      withEnv({ XSS_SAFE_MODE: "1" }, async () => {
+      await withEnv({ XSS_SAFE_MODE: "1" }, async () => {
         const table = getTable()
         const row = { text: input }
         const output = await validate({ source: table, row })

From 7d6c32b8ac34c03979a5b4a5d6d46f5b9089d7d2 Mon Sep 17 00:00:00 2001
From: Budibase Staging Release Bot <>
Date: Mon, 7 Oct 2024 17:15:05 +0000
Subject: [PATCH 12/13] Bump version to 2.32.12

---
 lerna.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lerna.json b/lerna.json
index a4bcb56d38..55721b6b2d 100644
--- a/lerna.json
+++ b/lerna.json
@@ -1,6 +1,6 @@
 {
   "$schema": "node_modules/lerna/schemas/lerna-schema.json",
-  "version": "2.32.11",
+  "version": "2.32.12",
   "npmClient": "yarn",
   "packages": [
     "packages/*",

From a4a90d7456e2a1521fe46ed73f3cc3fa6174feaa Mon Sep 17 00:00:00 2001
From: Sam Rose <hello@samwho.dev>
Date: Tue, 8 Oct 2024 09:56:51 +0100
Subject: [PATCH 13/13] Fix tests.

---
 .../backend-core/src/db/couch/DatabaseImpl.ts | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/packages/backend-core/src/db/couch/DatabaseImpl.ts b/packages/backend-core/src/db/couch/DatabaseImpl.ts
index 2ca52a2dce..1213dde8f5 100644
--- a/packages/backend-core/src/db/couch/DatabaseImpl.ts
+++ b/packages/backend-core/src/db/couch/DatabaseImpl.ts
@@ -371,15 +371,21 @@ export class DatabaseImpl implements Database {
     return this.performCall(() => {
       return async () => {
         const response = await directCouchUrlCall(args)
-        if (response.status >= 300) {
-          const text = await response.text()
-          console.error(`SQS error: ${text}`)
-          throw new CouchDBError(
-            "error while running SQS query, please try again later",
-            { name: "sqs_error", status: response.status }
-          )
+        const text = await response.text()
+        if (response.status > 300) {
+          let json
+          try {
+            json = JSON.parse(text)
+          } catch (err) {
+            console.error(`SQS error: ${text}`)
+            throw new CouchDBError(
+              "error while running SQS query, please try again later",
+              { name: "sqs_error", status: response.status }
+            )
+          }
+          throw json
         }
-        return (await response.json()) as T
+        return JSON.parse(text) as T
       }
     })
   }