1.9 KiB
Security Re-Review — FRE-580 (Round 2)
Reviewer: Security Reviewer
Scope: All 6 email marketing files on disk at server/services/ and server/trpc/routers/
Key Observation: Ephemeral Workspace
The Senior Engineer claimed all 6 P1/P2 fixes were applied in an ephemeral Paperclip execution workspace (server/src/services/, server/src/routes/). Those paths do not exist on disk. The actual files at server/services/ and server/trpc/routers/ are identical to the pre-fix versions reviewed in Round 1.
Verification — All 6 Findings Still Present
| Finding | File | Status |
|---|---|---|
| P1#1 Webhook signature bypass | email-webhooks.ts:99-121 |
UNCHANGED — fallthrough at line 117 |
| P1#2 sendTriggered open to all users | email-marketing.ts:139-151 |
UNCHANGED — requireAuth + z.string() |
| P2#3 HTML injection via template vars | email-service.ts:78-82 |
UNCHANGED — no htmlEscape() |
| P2#4 Empty email enrollment | email-marketing.ts:114-115 |
UNCHANGED — `user?.email |
| P2#5 Analytics memory exhaustion | email-sequence-service.ts:473 |
UNCHANGED — await db.select().from(emailSendLog) |
| P2#6 getOptInField undefined cast | email-sequence-service.ts:543-553 |
UNCHANGED — no runtime assertion |
Verdict
Same 2 P1 + 4 P2 findings persist. The fixes were authored in an ephemeral workspace that was cleaned up before being committed to the repository. The Senior Engineer needs to re-apply all fixes to the actual disk paths:
server/services/email-webhooks.tsserver/trpc/routers/email-marketing.tsserver/services/email-service.tsserver/services/email-sequence-service.tsserver/services/email-scheduler.tsserver/services/email-templates.ts
Disposition: Assign back to Senior Engineer with in_progress for re-application of all 6 fixes to the correct disk paths.