Merge commit from fork

* [V1 Only] Change dev server's data path to ./data/v1

* Fix GHSA-2qgm-m29m-cj2h

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "uptime-kuma",
-    "version": "1.23.14",
+    "version": "1.23.15",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "uptime-kuma",
-            "version": "1.23.14",
+            "version": "1.23.15",
             "license": "MIT",
             "dependencies": {
                 "@grpc/grpc-js": "~1.8.22",

package.json

@@ -24,7 +24,7 @@
         "start-frontend-devcontainer": "cross-env NODE_ENV=development DEVCONTAINER=1 vite --host --config ./config/vite.config.js",
         "start": "npm run start-server",
         "start-server": "node server/server.js",
-        "start-server-dev": "cross-env NODE_ENV=development node server/server.js",
+        "start-server-dev": "cross-env NODE_ENV=development node server/server.js --data-dir=./data/v1/",
         "build": "vite build --config ./config/vite.config.js",
         "test": "node test/prepare-test-server.js && npm run jest-backend",
         "test-with-build": "npm run build && npm test",

server/monitor-types/real-browser-monitor-type.js

@@ -193,6 +193,14 @@ class RealBrowserMonitorType extends MonitorType {
         const context = await browser.newContext();
         const page = await context.newPage();
 
+        // Prevent Local File Inclusion
+        // Accept only http:// and https://
+        // https://github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h
+        let url = new URL(monitor.url);
+        if (url.protocol !== "http:" && url.protocol !== "https:") {
+            throw new Error("Invalid url protocol, only http and https are allowed.");
+        }
+
         const res = await page.goto(monitor.url, {
             waitUntil: "networkidle",
             timeout: monitor.interval * 1000 * 0.8,