Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

memories and such

Browse Source
This commit is contained in:
Michael Freno
2026-05-14 07:30:40 -04:00
parent b96b550da8
commit 5cb6ed4313
21 changed files with 908 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
agents/security-reviewer/review-FRE-580-round2.md Normal file
View File

@@ -0,0 +1,32 @@
## Security Re-Review — FRE-580 (Round 2)
**Reviewer:** Security Reviewer
**Scope:** All 6 email marketing files on disk at `server/services/` and `server/trpc/routers/`
### Key Observation: Ephemeral Workspace
The Senior Engineer claimed all 6 P1/P2 fixes were applied in an ephemeral Paperclip execution workspace (`server/src/services/`, `server/src/routes/`). Those paths do not exist on disk. The actual files at `server/services/` and `server/trpc/routers/` are **identical** to the pre-fix versions reviewed in Round 1.
### Verification — All 6 Findings Still Present
| Finding | File | Status |
|---------|------|--------|
| **P1#1** Webhook signature bypass | `email-webhooks.ts:99-121` | **UNCHANGED** — fallthrough at line 117 |
| **P1#2** sendTriggered open to all users | `email-marketing.ts:139-151` | **UNCHANGED**`requireAuth` + `z.string()` |
| **P2#3** HTML injection via template vars | `email-service.ts:78-82` | **UNCHANGED** — no `htmlEscape()` |
| **P2#4** Empty email enrollment | `email-marketing.ts:114-115` | **UNCHANGED**`user?.email || ''` |
| **P2#5** Analytics memory exhaustion | `email-sequence-service.ts:473` | **UNCHANGED**`await db.select().from(emailSendLog)` |
| **P2#6** getOptInField undefined cast | `email-sequence-service.ts:543-553` | **UNCHANGED** — no runtime assertion |
### Verdict
**Same 2 P1 + 4 P2 findings persist.** The fixes were authored in an ephemeral workspace that was cleaned up before being committed to the repository. The Senior Engineer needs to re-apply all fixes to the actual disk paths:
- `server/services/email-webhooks.ts`
- `server/trpc/routers/email-marketing.ts`
- `server/services/email-service.ts`
- `server/services/email-sequence-service.ts`
- `server/services/email-scheduler.ts`
- `server/services/email-templates.ts`
**Disposition:** Assign back to Senior Engineer with `in_progress` for re-application of all 6 fixes to the correct disk paths.