FRE-4520: Fix security vulnerabilities in notification template system

- Fix HTML injection vulnerability with proper entity encoding - Fix rate limit cleanup bug (count vs timestamp confusion) - Add URL validation to prevent open redirect attacks - Add expiration to in-memory deduplication entries - Use Zod schema for config validation - Add email format validation All 29 tests passing. Ready for Code Reviewer final review. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-01 19:35:22 -04:00
parent 2a5c6f49a7
commit c490735ba2
5 changed files with 161 additions and 48 deletions
--- a/packages/shared-notifications/SECURITY_REMEDIATION.md
+++ b/packages/shared-notifications/SECURITY_REMEDIATION.md
@@ -0,0 +1,48 @@
+## Security Remediation Complete
+
+All 4 Medium and 2 Low severity findings have been addressed:
+
+### Medium Severity (Fixed)
+
+**1. HTML Injection via Template Variables** (`template.service.ts:168`)
+- Added `escapeHtml()` method with HTML entity encoding
+- Variables substituted in HTML context are now properly escaped
+- Handles &, <, >, ", and ' characters
+
+**2. Rate Limit Cleanup Logic Bug** (`email.service.ts:16-23`)
+- Created `RateLimitEntry` interface with `count` and `lastSentAt` fields
+- Cleanup now correctly compares timestamps instead of counts
+- Rate limiting will work effectively across cleanup cycles
+
+**3. Open Redirect via URL Template Variables** (`template.service.ts`)
+- Added `TRUSTED_DOMAINS` allowlist (shieldai.com, app.shieldai.com, api.shieldai.com)
+- Added `validateUrl()` method that validates URLs against trusted domains
+- Invalid URLs default to `/` to prevent phishing attacks
+
+**4. In-Memory Deduplication Expiration** (`notification.service.ts:62-88`)
+- Created `DeduplicationEntry` interface with `externalIds` and `expiresAt` fields
+- In-memory dedup now respects the configured window_seconds TTL
+- Prevents indefinite growth of pending deduplication sets
+
+### Low Severity (Fixed)
+
+**5. Zod Schema Validation** (`notification.config.ts`)
+- `loadNotificationConfig()` now parses through `NotificationConfigSchema.parse()`
+- Invalid configurations will throw at startup instead of runtime
+
+**6. Email Format Validation** (`email.service.ts:33`)
+- Added `EMAIL_PATTERN` regex for basic email validation
+- Invalid email formats throw before attempting to send
+
+### Test Results
+- All 29 tests passing ✅
+- No new TypeScript errors introduced
+
+### Files Modified
+- `packages/shared-notifications/src/services/template.service.ts`
+- `packages/shared-notifications/src/services/email.service.ts`
+- `packages/shared-notifications/src/services/notification.service.ts`
+- `packages/shared-notifications/src/config/notification.config.ts`
+
+### Next Action
+Ready for Code Reviewer final review before marking security review complete.